From nobody Fri Nov 11 01:24:34 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N7gwf3p5pz4f0l5; Fri, 11 Nov 2022 01:24:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4N7gwf1Kj5z3GXQ; Fri, 11 Nov 2022 01:24:34 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668129874; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mI5CkA7ZNOOcZcl0bH7yUOivJDiSI5pkoDKAj6xJ9do=; b=bRJDj13l3PGwqVGdPOgBHAq4fFyyEkE6oN6k6B/6btCcsBS9KJWakLGRmOCfUFMeT/D1uV wFvt5rXliEhBIEfa5FSItueKIa30+z06MUVQvQTxsuxSeqoiwZjEWmw/zCLpqGuDXDTWJt 5cnxXfJ/aSwmug6GIU7s1/cVANW8GiC7KaUcKv4fNw+gCOVKwtnxrnsmUuZkv7/3wHUDzL x/tCcO8Ov95J5HjLtZZmfxoQf7NGUGUg9J/2S271Ijxovoa95mkbYiM3TN53FgeoE9xNAo +rQWP6yS9eWHNy6O4x3VP63m5nj/gi9oFPs0qhKReKqpOQ7WQinG7YRm0oP4Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668129874; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mI5CkA7ZNOOcZcl0bH7yUOivJDiSI5pkoDKAj6xJ9do=; b=iH6QqxLjFzjBnQqYBXXt7/i+6RsdcJfgFrBZLZq7DbYNQ2kKuyNfDf0XuH8n/MM/gpEpT0 463cITfBHdlSrP0WZ2vUGdw9UhghKv3ZBSnESqrKoIC016EyaaTzWlrkvHWbisRSaptmbZ KkJlKB38GD1RIzDWPpl7N6jXmcbD4tq269Wb6N2mm+ZO5fDiOgsevXMwk9iW22NYBOhrdi u1sA2MRCMLmLLFwAA1sbMfN/sn6jc9bh9US5tx+faJv2nMeLlkCnpZDuXqzExd37uz7Tsr pjIPUCr3k9z5N4QAHeGymmDMPj89MOkB6yHVJSjl6dnf1kBLvezbTFTC/VsTGg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668129874; a=rsa-sha256; cv=none; b=NIfNYHITAhz8QhaZEg5mKOe74n2abpqSgU1cyP9dQIWe9wcT5PH25XfopB8n/GqUtF9dgu gAC/zTzssSk2q+XkxGipSf6Yiem8oACjxSwzp9ysLgSQlus3H9qSHDE0hB2GwmuNlBpBbX n1FZnM88d97OZFpKfqInMs9s5QJVQKscFOhtHReJyYqImmdQ27HZk0087TvW1hvHbP+jOH al2nN75kqE7ucnV3mXTx2j4O4ujqcvch8PQmMfCqgQXziAVmjqxO3D7HuMZKPyplEeAFdM k7tb75zgkx0XkSnbOl74GIe0end1QayU01ZYPNb7UFp5mv4YSZHpKMFTyOx5Og== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4N7gwf0RfpzNYt; Fri, 11 Nov 2022 01:24:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2AB1OYc9027342; Fri, 11 Nov 2022 01:24:34 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2AB1OY2c027341; Fri, 11 Nov 2022 01:24:34 GMT (envelope-from git) Date: Fri, 11 Nov 2022 01:24:34 GMT Message-Id: <202211110124.2AB1OY2c027341@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: 93eafd4479da - stable/12 - bhyve e1000: Sanitize transmit ring indices. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 93eafd4479da09eabbd447490a8661fb7616ba29 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/12 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=93eafd4479da09eabbd447490a8661fb7616ba29 commit 93eafd4479da09eabbd447490a8661fb7616ba29 Author: John Baldwin AuthorDate: 2022-08-29 22:35:15 +0000 Commit: John Baldwin CommitDate: 2022-11-11 01:10:45 +0000 bhyve e1000: Sanitize transmit ring indices. When preparing to transmit pending packets, ensure that the head (TDH) and tail (TDT) indices are in bounds. Note that validating values when they are written is not sufficient along as the transmit length (TDLEN) could be changed turning a value that was valid when written into an out of bounds value. While here, add further restrictions to the head register (TDH). The manual states that writing to this value while transmit is enabled can cause unexpected behavior and that it should only be written after a reset. As such, ignore attempts to write while transmit is active, and also ignore writes of non-zero values. Later e1000 chipsets have this register as read-only. Also ignore any attempts to transmit packets if the transmit ring's size is zero. PR: 264567 Reported by: Robert Morris Reviewed by: emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36269 (cherry picked from commit 7afe342dcb38b624488009bb6bdfa5337e628ffc) --- usr.sbin/bhyve/pci_e82545.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c index 0b46ea5dced7..0e73c779f574 100644 --- a/usr.sbin/bhyve/pci_e82545.c +++ b/usr.sbin/bhyve/pci_e82545.c @@ -1463,9 +1463,12 @@ e82545_tx_run(struct e82545_softc *sc) uint16_t head, rhead, tail, size; int lim, tdwb, sent; - head = sc->esc_TDH; - tail = sc->esc_TDT; size = sc->esc_TDLEN / 16; + if (size == 0) + return; + + head = sc->esc_TDH % size; + tail = sc->esc_TDT % size; DPRINTF("tx_run: head %x, rhead %x, tail %x", sc->esc_TDH, sc->esc_TDHr, sc->esc_TDT); @@ -1731,12 +1734,17 @@ e82545_write_register(struct e82545_softc *sc, uint32_t offset, uint32_t value) e82545_tx_update_tdba(sc); break; case E1000_TDH(0): - //assert(!sc->esc_tx_enabled); - /* XXX should only ever be zero ? Range check ? */ + if (sc->esc_tx_enabled) { + WPRINTF("ignoring write to TDH while transmit enabled"); + break; + } + if (value != 0) { + WPRINTF("ignoring non-zero value written to TDH"); + break; + } sc->esc_TDHr = sc->esc_TDH = value; break; case E1000_TDT(0): - /* XXX range check ? */ sc->esc_TDT = value; if (sc->esc_tx_enabled) e82545_tx_start(sc);