Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2216257,
    "url": "http://patchwork.ozlabs.org/api/patches/2216257/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260326082350.17374-3-its@irrelevant.dk/",
    "project": {
        "id": 14,
        "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api",
        "name": "QEMU Development",
        "link_name": "qemu-devel",
        "list_id": "qemu-devel.nongnu.org",
        "list_email": "qemu-devel@nongnu.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260326082350.17374-3-its@irrelevant.dk>",
    "list_archive_url": null,
    "date": "2026-03-26T08:23:49",
    "name": "[PULL,2/2] hw/nvme: fix heap-buffer-overflow in nvme_abort",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "23cf3ac31aa070aab217ecd5dadfa8e684d847df",
    "submitter": {
        "id": 77636,
        "url": "http://patchwork.ozlabs.org/api/people/77636/?format=api",
        "name": "Klaus Jensen",
        "email": "its@irrelevant.dk"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260326082350.17374-3-its@irrelevant.dk/mbox/",
    "series": [
        {
            "id": 497549,
            "url": "http://patchwork.ozlabs.org/api/series/497549/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=497549",
            "date": "2026-03-26T08:23:47",
            "name": "[PULL,1/2] hw/nvme: re-enable wzds bit in namespace dlfeat",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/497549/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2216257/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2216257/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=irrelevant.dk header.i=@irrelevant.dk\n header.a=rsa-sha256 header.s=fm3 header.b=PvVR5vTS;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=messagingengine.com header.i=@messagingengine.com\n header.a=rsa-sha256 header.s=fm1 header.b=4r7XUjcs;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fhH0L330mz1y1G\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 26 Mar 2026 19:25:38 +1100 (AEDT)",
            "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w5g1L-00036r-EC; Thu, 26 Mar 2026 04:24:51 -0400",
            "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)\n id 1w5g1H-000353-1I; Thu, 26 Mar 2026 04:24:47 -0400",
            "from fout-b5-smtp.messagingengine.com ([202.12.124.148])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)\n id 1w5g1F-0006lh-DS; Thu, 26 Mar 2026 04:24:46 -0400",
            "from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44])\n by mailfout.stl.internal (Postfix) with ESMTP id BA9021D0020E;\n Thu, 26 Mar 2026 04:24:43 -0400 (EDT)",
            "from phl-frontend-03 ([10.202.2.162])\n by phl-compute-04.internal (MEProxy); Thu, 26 Mar 2026 04:24:44 -0400",
            "by mail.messagingengine.com (Postfix) with ESMTPA; Thu,\n 26 Mar 2026 04:24:41 -0400 (EDT)"
        ],
        "DKIM-Signature": [
            "v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk;\n h=cc:cc:content-transfer-encoding:content-type:date:date:from\n :from:in-reply-to:in-reply-to:message-id:mime-version:references\n :reply-to:subject:subject:to:to; s=fm3; t=1774513483; x=\n 1774599883; bh=Xe0NNasWuj7ft2jRrG9JeA8yj0VbUSM2GM8CLq1zSVQ=; b=P\n vVR5vTSATXKZk3n4O6TfjQCs4V8MnYV/W2AMDYjO/RIPJgCwRoVDpvFGI5XWmFr4\n TmBV7sLc5gqHWRz0eDOZnu68zgYdXStkwm6BrUzPIp6QhRBopWVLp+gfUWqw9KKm\n z+j9zuMW9VwmnMHHEPWBIIJLvK9A8RnDedqFLk0oM/vCGvR3HbLQ3vJrB/OHmKuB\n 0bEpN8w66m6kT6Pd8sqvlWJ2lJHiUQGuWk4ReaMIbKtTbXD9jE4FCSz8vQSI2taH\n RGxXUqzJpSJC1AY31CTP2vBVUgdRLlIYDIKgNSxjRymkv8RVU2n1rysxos/+pX9i\n /VfUNLe9DLptLX35CGijQ==",
            "v=1; a=rsa-sha256; c=relaxed/relaxed; d=\n messagingengine.com; h=cc:cc:content-transfer-encoding\n :content-type:date:date:feedback-id:feedback-id:from:from\n :in-reply-to:in-reply-to:message-id:mime-version:references\n :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender\n :x-me-sender:x-sasl-enc; s=fm1; t=1774513483; x=1774599883; bh=X\n e0NNasWuj7ft2jRrG9JeA8yj0VbUSM2GM8CLq1zSVQ=; b=4r7XUjcsh7f2Az6P1\n ucQpKFAxhOdfc2ecNoq0knbrNJXi656iGZ/vsc465E0wLumao13tj2eZDRIdWKLe\n /coFwKQ0Ayh6Vk/S/59uGbvWL52PmHatRhlaWPetP+oacJeR0Yr4DIlt/q9EhGVK\n kTrX3IyoSi5PTihQohWu0UwrV265T8tGe2nYCAF5chQIOjhu5Nok62l5Ca8XGBVo\n 1a88HmJejXAHIjZC1lD7CpyOB2UhhrW+qhzSzKcwB7djQ6MdNWSHF0BJm3uBa+8a\n UjZEiHlSct7PYDlBSZ/IVQ8NLl1XhAeXR9c80AYmyAM2J3UiyZrjWBLlO8jsYXD6\n mFaQw=="
        ],
        "X-ME-Sender": "<xms:S-3EaZBvXI38EkuLUBZ37m6I7fY9koSmc_K5Iyu2njuLp1XyNk-OUA>\n <xme:S-3EaaHACigIOLEWbdHf5Nv2DEk19vJGYZs8csNs0g09dI7K8_FhR84E49Cp6KRgG\n KLfKHDDpUMqHAeJZzDbEcK-EJhAcyDgal2yc7ag-oTCYODk1wJgE-M>",
        "X-ME-Received": "\n <xmr:S-3EaYN_Lm--BxIpmABEzDkU9NkDU5AOwNPI7DzWmDLe9EWTA--B_VJqtqzNXwysx4aOPVP78hryR_rv2fk7_Nrj-mH3OVZevQFXsTC0a6y3MEjGxwT2n3H7Kw>",
        "X-ME-Proxy-Cause": "\n gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdefvdeikeekucetufdoteggodetrf\n dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu\n rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf\n gurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepmfhlrghushcu\n lfgvnhhsvghnuceoihhtshesihhrrhgvlhgvvhgrnhhtrdgukheqnecuggftrfgrthhtvg\n hrnhepfeehteeghefffeegkefghfegieejkeevfffhjeevfeekudeiieevheetledujedu\n necuffhomhgrihhnpehgihhtlhgrsgdrtghomhenucevlhhushhtvghrufhiiigvpedtne\n curfgrrhgrmhepmhgrihhlfhhrohhmpehithhssehirhhrvghlvghvrghnthdrughkpdhn\n sggprhgtphhtthhopeelpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehqvghmuh\n dquggvvhgvlhesnhhonhhgnhhurdhorhhgpdhrtghpthhtohepphgvthgvrhdrmhgrhigu\n vghllheslhhinhgrrhhordhorhhgpdhrtghpthhtohepkhgrihiguhgrnhhlihesnhhtuh\n drvgguuhdrshhgpdhrtghpthhtohepqhgvmhhuqdhsthgrsghlvgesnhhonhhgnhhurdho\n rhhgpdhrtghpthhtohepkhdrjhgvnhhsvghnsehsrghmshhunhhgrdgtohhmpdhrtghpth\n htohepkhgsuhhstghhsehkvghrnhgvlhdrohhrghdprhgtphhtthhopehithhssehirhhr\n vghlvghvrghnthdrughkpdhrtghpthhtohepfhhoshhsseguvghfmhgrtghrohdrihhtpd\n hrtghpthhtohepqhgvmhhuqdgslhhotghksehnohhnghhnuhdrohhrgh",
        "X-ME-Proxy": "<xmx:S-3EaT6yrFHGjVQALKI-GqDB7-a1gaW0oktv7A2L7WFEFnrzAdsyhA>\n <xmx:S-3EaTjIU4VsHQ0hrRoE0rLqjRGuK1SvamTnJo-_VfAImktr5Xpjbw>\n <xmx:S-3EaQdG0D_vmqslvCjJheKErZ1cwPj_8sgJM5_6N3mt3Ee_3euD9Q>\n <xmx:S-3EaTwXE7SgqB99-iDtD1wmPPTW8XmBni5RyKjxL4j6Z1CYg-HgsQ>\n <xmx:S-3EacrfNQh-7fcektdACvyQ6jgtVbq-1277xhgbvEw8y7QkhZI1q-oI>",
        "Feedback-ID": "idc91472f:Fastmail",
        "From": "Klaus Jensen <its@irrelevant.dk>",
        "To": "qemu-devel@nongnu.org",
        "Cc": "Peter Maydell <peter.maydell@linaro.org>,\n Kaixuan Li <kaixuanli@ntu.edu.sg>, qemu-stable@nongnu.org,\n Klaus Jensen <k.jensen@samsung.com>, Keith Busch <kbusch@kernel.org>,\n Klaus Jensen <its@irrelevant.dk>, Jesper Devantier <foss@defmacro.it>,\n qemu-block@nongnu.org",
        "Subject": "[PULL 2/2] hw/nvme: fix heap-buffer-overflow in nvme_abort",
        "Date": "Thu, 26 Mar 2026 09:23:49 +0100",
        "Message-ID": "<20260326082350.17374-3-its@irrelevant.dk>",
        "X-Mailer": "git-send-email 2.53.0",
        "In-Reply-To": "<20260326082350.17374-1-its@irrelevant.dk>",
        "References": "<20260326082350.17374-1-its@irrelevant.dk>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "Received-SPF": "pass client-ip=202.12.124.148; envelope-from=its@irrelevant.dk;\n helo=fout-b5-smtp.messagingengine.com",
        "X-Spam_score_int": "-27",
        "X-Spam_score": "-2.8",
        "X-Spam_bar": "--",
        "X-Spam_report": "(-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no",
        "X-Spam_action": "no action",
        "X-BeenThere": "qemu-devel@nongnu.org",
        "X-Mailman-Version": "2.1.29",
        "Precedence": "list",
        "List-Id": "qemu development <qemu-devel.nongnu.org>",
        "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>",
        "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>",
        "List-Post": "<mailto:qemu-devel@nongnu.org>",
        "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>",
        "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>",
        "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org",
        "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"
    },
    "content": "From: Kaixuan Li <kaixuanli@ntu.edu.sg>\n\nIn nvme_abort(), the submission queue pointer is dereferenced from the\nguest-controlled sqid before validating it with nvme_check_sqid():\n\n    NvmeSQueue *sq = n->sq[sqid];\n\nSince sqid is a 16-bit value (range 0-65535) taken directly from CDW10,\nand n->sq[] is typically only max_ioqpairs+1 (65) entries, a malicious\nguest can trigger an out-of-bounds heap read by sending an Abort command\nwith a large sqid.\n\nASan reports this as heap-buffer-overflow in nvme_abort.\n\nFix this by moving the array dereference to after the nvme_check_sqid()\nbounds validation.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/3348\nFixes: 75209c071a (\"hw/nvme: actually implement abort\")\nCc: qemu-stable@nongnu.org\nSigned-off-by: Kaixuan Li <kaixuanli@ntu.edu.sg>\nSigned-off-by: Klaus Jensen <k.jensen@samsung.com>\n---\n hw/nvme/ctrl.c | 4 +++-\n 1 file changed, 3 insertions(+), 1 deletion(-)",
    "diff": "diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c\nindex cc4593cd427a..be6c7028cb58 100644\n--- a/hw/nvme/ctrl.c\n+++ b/hw/nvme/ctrl.c\n@@ -6111,7 +6111,7 @@ static uint16_t nvme_abort(NvmeCtrl *n, NvmeRequest *req)\n {\n     uint16_t sqid = le32_to_cpu(req->cmd.cdw10) & 0xffff;\n     uint16_t cid  = (le32_to_cpu(req->cmd.cdw10) >> 16) & 0xffff;\n-    NvmeSQueue *sq = n->sq[sqid];\n+    NvmeSQueue *sq;\n     NvmeRequest *r, *next;\n     int i;\n \n@@ -6120,6 +6120,8 @@ static uint16_t nvme_abort(NvmeCtrl *n, NvmeRequest *req)\n         return NVME_INVALID_FIELD | NVME_DNR;\n     }\n \n+    sq = n->sq[sqid];\n+\n     if (sqid == 0) {\n         for (i = 0; i < n->outstanding_aers; i++) {\n             NvmeRequest *re = n->aer_reqs[i];\n",
    "prefixes": [
        "PULL",
        "2/2"
    ]
}