Commit 7645f21f40 for

commit 7645f21f409b67eb9aad9feef6283c2e186e3703
Author: Klaus Jensen <>
Date:   Wed Apr 7 07:16:14 2021 +0200

    hw/block/nvme: fix out-of-bounds read in nvme_subsys_ctrl

    nvme_subsys_ctrl() is used in contexts where the given controller
    identifier is from an untrusted source. Like its friends nvme_ns() and
    nvme_subsys_ns(), nvme_subsys_ctrl() should just return NULL if an
    invalid identifier is given.

    Fixes: 645ce1a70cb6 ("hw/block/nvme: support namespace attachment command")
    Cc: Minwoo Im <>
    Signed-off-by: Klaus Jensen <>
    Reviewed-by: Minwoo Im <>

diff --git a/hw/block/nvme-subsys.h b/hw/block/nvme-subsys.h
index 1cbcad9be2..7d7ef5f7f1 100644
--- a/hw/block/nvme-subsys.h
+++ b/hw/block/nvme-subsys.h
@@ -36,7 +36,7 @@ int nvme_subsys_register_ctrl(NvmeCtrl *n, Error **errp);
 static inline NvmeCtrl *nvme_subsys_ctrl(NvmeSubsystem *subsys,
         uint32_t cntlid)
-    if (!subsys) {
+    if (!subsys || cntlid >= NVME_SUBSYS_MAX_CTRLS) {
         return NULL;