From nobody Fri Nov 11 01:24:26 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N7gwV3pJzz4f0qq; Fri, 11 Nov 2022 01:24:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4N7gwV3KHqz3G9Q; Fri, 11 Nov 2022 01:24:26 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668129866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CnDFAbroJepIH8/MlVuOX7kzpD1GV+yUXFuEqyeobMc=; b=nespRPN3U3TySeryEd47089lgbt+K+Rnl8meuqmmeZncPTB4jLUHiiMXH5FCeQdAzeYyAE PTvpOGh3Fl0t5YIKREBELos3rEYkzKRcnqb8r9xvZhIAX7zr5l9z8vw9qXsYWHa7g4zbUM JZjr3d5RAZyt8ghqA5HJU/aU8CmYd+ueQ2Yc2VX98MmvH8V0Il/nXl+h1MIcXkKEC61zk/ xIFcwzc/N2joraqAoK8NlHIgTdsnnaBl8av9+2DrAXINF6aAxnBNxtrfRmnZxD+Z1YK41X 1Q+6gt898V23PFphaQ14RJV1IRMNXA34FsJtEqgAbOxOHMEeEiHwqK8H6O3/KA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668129866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CnDFAbroJepIH8/MlVuOX7kzpD1GV+yUXFuEqyeobMc=; b=eGqMpCvSHZQQCuv8k5dex+LLTNsTCR0pW+odAIXOUtYkaJcbCw3S6HLYKjC4Mdvh+Tu/un hehjriaQgZL1MPvoP29VEkROtVrHOGNwXWlxVTFhqZw9sr8x4WtBWES49QzNzaJEVybTg9 oMsDhEhM4s+6LtHYwY4me2e1L73BvppxiR9TZVlS6fmDr69dGq7+dPnbyWLLZh9h4x6cnH i/raVrJcKwweC3L6ImUdILJyVoRd6GER3WxICdArKO3yDZtSse0CTKheBeRb9A4cN27a+W jQhXafAKSsbM5a+uH6Q1KAXn5JLzPTv/ffjsv/i6RM38tb/Vx1z/c7tgr6mi6g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668129866; a=rsa-sha256; cv=none; b=FTrZhYOvkVodHqjPg6tJjdc3ImQyXtxiphMCMhg7JDuCJpn4DCPJsRdkCXl0S7h5kyJuX7 lneS0913VWKOLM/cHQSK9hrnVVTTQ4RnBFWzAx+oRvCm067VF6w0xzejXYtFsUdhQxJjbB OepN6Mp/CRaVcDUyJc4RNi17PDZ4NJysFsg/Fnr6bgQ4L0JQ7B8mqUYhhO+IGl0TnLCex6 lpmmrP/CUEbfePnuPKIkQjBMtJsgnXVePZIhRj474S0cysnIN+8jIiJNERPEPh5kFoJBrd P2pJ8ZrHmk698Y3vzibwB0Q3UoxzFDyJw2BOSlZc86wOwKVpji/wXc3tg1bHfA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4N7gwV2PnvzNq9; Fri, 11 Nov 2022 01:24:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2AB1OQ0t027136; Fri, 11 Nov 2022 01:24:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2AB1OQsU027135; Fri, 11 Nov 2022 01:24:26 GMT (envelope-from git) Date: Fri, 11 Nov 2022 01:24:26 GMT Message-Id: <202211110124.2AB1OQsU027135@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: 0d347cf94942 - stable/13 - bhyve e1000: Sanitize transmit ring indices. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 0d347cf94942914c7eb15360c995df9c9091720c Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=0d347cf94942914c7eb15360c995df9c9091720c commit 0d347cf94942914c7eb15360c995df9c9091720c Author: John Baldwin AuthorDate: 2022-08-29 22:35:15 +0000 Commit: John Baldwin CommitDate: 2022-11-11 00:41:55 +0000 bhyve e1000: Sanitize transmit ring indices. When preparing to transmit pending packets, ensure that the head (TDH) and tail (TDT) indices are in bounds. Note that validating values when they are written is not sufficient along as the transmit length (TDLEN) could be changed turning a value that was valid when written into an out of bounds value. While here, add further restrictions to the head register (TDH). The manual states that writing to this value while transmit is enabled can cause unexpected behavior and that it should only be written after a reset. As such, ignore attempts to write while transmit is active, and also ignore writes of non-zero values. Later e1000 chipsets have this register as read-only. Also ignore any attempts to transmit packets if the transmit ring's size is zero. PR: 264567 Reported by: Robert Morris Reviewed by: emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36269 (cherry picked from commit 7afe342dcb38b624488009bb6bdfa5337e628ffc) --- usr.sbin/bhyve/pci_e82545.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c index ffa1989c8f52..9a7fb13ae3c2 100644 --- a/usr.sbin/bhyve/pci_e82545.c +++ b/usr.sbin/bhyve/pci_e82545.c @@ -1467,9 +1467,12 @@ e82545_tx_run(struct e82545_softc *sc) uint16_t head, rhead, tail, size; int lim, tdwb, sent; - head = sc->esc_TDH; - tail = sc->esc_TDT; size = sc->esc_TDLEN / 16; + if (size == 0) + return; + + head = sc->esc_TDH % size; + tail = sc->esc_TDT % size; DPRINTF("tx_run: head %x, rhead %x, tail %x", sc->esc_TDH, sc->esc_TDHr, sc->esc_TDT); @@ -1735,12 +1738,17 @@ e82545_write_register(struct e82545_softc *sc, uint32_t offset, uint32_t value) e82545_tx_update_tdba(sc); break; case E1000_TDH(0): - //assert(!sc->esc_tx_enabled); - /* XXX should only ever be zero ? Range check ? */ + if (sc->esc_tx_enabled) { + WPRINTF("ignoring write to TDH while transmit enabled"); + break; + } + if (value != 0) { + WPRINTF("ignoring non-zero value written to TDH"); + break; + } sc->esc_TDHr = sc->esc_TDH = value; break; case E1000_TDT(0): - /* XXX range check ? */ sc->esc_TDT = value; if (sc->esc_tx_enabled) e82545_tx_start(sc);