From nobody Mon Aug 29 22:37:53 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MGlh21nsLz4ZtcV; Mon, 29 Aug 2022 22:37:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MGlh210j2z3nXd; Mon, 29 Aug 2022 22:37:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661812674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z3BtGYpchyT5TfTsk59X6Su4/617P8+MkFMmfK9/Bzw=; b=mDNw5iwfyt1P6/WxFIEQ1TXH68oni6RHlpn+gTyolbpn/LX0yUV0YkwPvNC+skrM9MLiYZ ko/lNbPlSNCuHyPACOswUDDEkhzRVsztJ7X9IAaVz4bVjy1Vjb+cEAW3IP6rzFgJxX/GhJ nQ/XWgMTmBf00Z8gsYZPygfPxi9xEFzoQ9gPQ84GEdmP6zwBQ7MY/Q+8t0qhtPfTYPvk4r Ox8XAzFbrpTqZSh971gcpQJwekbuR1BBEz4q0ISsFEnN2cPLggnZS4Pd+o4T1kOknm7xb2 UMaVgF/qytGadgv3GWqxJOL01Uy3LTginRfqQekIscsPy2foNQutgjJrcvenxw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MGlh16wSBzZrX; Mon, 29 Aug 2022 22:37:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 27TMbram023128; Mon, 29 Aug 2022 22:37:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 27TMbrrq023127; Mon, 29 Aug 2022 22:37:53 GMT (envelope-from git) Date: Mon, 29 Aug 2022 22:37:53 GMT Message-Id: <202208292237.27TMbrrq023127@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: 7afe342dcb38 - main - bhyve e1000: Sanitize transmit ring indices. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7afe342dcb38b624488009bb6bdfa5337e628ffc Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661812674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z3BtGYpchyT5TfTsk59X6Su4/617P8+MkFMmfK9/Bzw=; b=hKXknfQKxIzkovQNVPfWhX7Ib28Uz4M8Qu3hn8mF9i8LumAYfg1sv62S7J+vYlThpL05iV aOEEELJw4VYcLpYH34fmvZ3TIqyDBVYFdjOilsb9NTc3kIarmEIR3/4oiB3eLQcjFW1ZeD yqdLAi11FUBoIklgG1TflsH/bTptAe3X4+e6dWW6Ewfv1vnM0XXU4IHPNK4RyCu7p1dkxw vEa9BQjAqw53VZnKLoKZOMfeC0AWhqzyboVty9fmQTQkPAtZvQB+hZ1Kk5Q9q6BjmzlDit F0zMl0b6PeHcEs1vObY4iITJeb9/acfUP3v98oB1eO8O2fZA5jdlrjLEc4XVwQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1661812674; a=rsa-sha256; cv=none; b=fWj2LQCiQmr3blwKlN8wzU3jBYydL+TZOLRF5Msfa4ALn6lmo0hsTNUYsletQ6mqc96W7K 9mcGjIdezCIjbw4ccsft0lqdFqRsWvVx6hy1GHdckO18PAMoLANwFEWxodF6s57yb7paHt y6Tf6Zy1jEzLBJsGfdGZWNztnL/kgdmqfzaRC9hOOULQOtSBq7AH18ErT7/uq7KcV74sC8 KckIgXaFYJ4LKtb465fgxhVJ8OtYgqChuK5auR4tXFsup44Y4nqUCfSW6OR0pyWctU/xFs sgyEMFSLm1HCrLja0+3ohnNzCXCX7qkYH4J30hjPCFpKOTQ0SegOTgt4OtbDbA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=7afe342dcb38b624488009bb6bdfa5337e628ffc commit 7afe342dcb38b624488009bb6bdfa5337e628ffc Author: John Baldwin AuthorDate: 2022-08-29 22:35:15 +0000 Commit: John Baldwin CommitDate: 2022-08-29 22:36:57 +0000 bhyve e1000: Sanitize transmit ring indices. When preparing to transmit pending packets, ensure that the head (TDH) and tail (TDT) indices are in bounds. Note that validating values when they are written is not sufficient along as the transmit length (TDLEN) could be changed turning a value that was valid when written into an out of bounds value. While here, add further restrictions to the head register (TDH). The manual states that writing to this value while transmit is enabled can cause unexpected behavior and that it should only be written after a reset. As such, ignore attempts to write while transmit is active, and also ignore writes of non-zero values. Later e1000 chipsets have this register as read-only. Also ignore any attempts to transmit packets if the transmit ring's size is zero. PR: 264567 Reported by: Robert Morris Reviewed by: emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36269 --- usr.sbin/bhyve/pci_e82545.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c index d3f61bf57b0d..dcded0b8b1ae 100644 --- a/usr.sbin/bhyve/pci_e82545.c +++ b/usr.sbin/bhyve/pci_e82545.c @@ -1466,9 +1466,12 @@ e82545_tx_run(struct e82545_softc *sc) uint16_t head, rhead, tail, size; int lim, tdwb, sent; - head = sc->esc_TDH; - tail = sc->esc_TDT; size = sc->esc_TDLEN / 16; + if (size == 0) + return; + + head = sc->esc_TDH % size; + tail = sc->esc_TDT % size; DPRINTF("tx_run: head %x, rhead %x, tail %x", sc->esc_TDH, sc->esc_TDHr, sc->esc_TDT); @@ -1734,12 +1737,17 @@ e82545_write_register(struct e82545_softc *sc, uint32_t offset, uint32_t value) e82545_tx_update_tdba(sc); break; case E1000_TDH(0): - //assert(!sc->esc_tx_enabled); - /* XXX should only ever be zero ? Range check ? */ + if (sc->esc_tx_enabled) { + WPRINTF("ignoring write to TDH while transmit enabled"); + break; + } + if (value != 0) { + WPRINTF("ignoring non-zero value written to TDH"); + break; + } sc->esc_TDHr = sc->esc_TDH = value; break; case E1000_TDT(0): - /* XXX range check ? */ sc->esc_TDT = value; if (sc->esc_tx_enabled) e82545_tx_start(sc);