From nobody Sun Oct 06 15:03:03 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XM5BH4xptz5YBJG;
	Sun, 06 Oct 2024 15:03:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XM5BH4C81z49CV;
	Sun,  6 Oct 2024 15:03:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1728226983;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RQ5fCNWx0/WH5N3vCgugXCP5a9I4MnhFgx1+yX6cbV0=;
	b=RyCC5kvhywrz0hrszt5TcPgsWxE55B2tH8yWKeZwmYvYMk42GqyKId8vyZA8bwwmIinqS0
	LKn5ZftNhR3iGBF3ZMfj9gzE9/BKWgphOVwGFiRkGAcIY1vSUl8bxgqHo2//zJvKXm5BeC
	ClFzf7V5NKJ/LUEi3vKJTflJ1F3y5wSxMeBgcB7QFplnKYDHQP7AcSl8m0+D6JOfcLmRFf
	ru06rULiolIC3jOGIbm/nvd4cG9M6scBmqqc8zwe6U3PdzJ2sxFHWlOeubKOehNEOWiPWo
	a+L9NCTEptD+/NIKI4X3I/GXN3Y6JrSa5OuGu6TQZF4oy9tO/geQ7Wze32h7wQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1728226983;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RQ5fCNWx0/WH5N3vCgugXCP5a9I4MnhFgx1+yX6cbV0=;
	b=ZGglryaK47VKrworBMxczOqcia3cvSfC2ue0GYndSmz7iJLJeQCq/Rhez+JRPdtiKqi2zP
	ASVFElgSy9eOkN5kpGe37+5s6OrC5V7vNOirQDRs0crLXQFeNqRTzFz1+icBWDAGtW1QaN
	yD+ATOqjbD+HWTjiOFoFW3I7W10Sx36qFiaYEjpj1gbmRw9V7toZs6EminAlA5ydY2Cmw2
	5QSDn6ZA41UCzj+I9RpZnAjy9GLsYL7nIfxgO0IUoTRRyl64XZsZ5DWFV0P75awM//MqDn
	H94M4h8WxfyjslXhl8PilbPnQylH8vpiurRfHbpbqto+i9Y+5ZKj90Oqix+boA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728226983; a=rsa-sha256; cv=none;
	b=TcbNJ/gBkhmYHX2AryWblflz+pEw3WJo3LTNaZNrmpp8xVN9eGtEpPyhHS6OmtsSgfwxIx
	d/UMa+MfNFN0RTKBonCBs4nnFoAtutFRza3eW3+UpJZRaBDSpDvuZCBYLHPUnd3n0dl5Ub
	9HtMLYNNizk0ExhsGQ67rOYohqwjhZ83AnDKVQhiwRt7nfYwR8EXEkb/yTbu4h1Fln5c9b
	80Z8fK9SfQWLk3mcFnwjGfsee/6PrwpFKCVv0F1SqqxW/Pw/0mfEGNsFjirWxwB8BHK8pd
	YzkcazCQo79IVvQxarHgj8ldtsXIPQlxatiZbsis6ucwG7e3pUcPnK4I8FybAg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XM5BH3hTlz16fb;
	Sun,  6 Oct 2024 15:03:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 496F33Qw048264;
	Sun, 6 Oct 2024 15:03:03 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 496F337v048261;
	Sun, 6 Oct 2024 15:03:03 GMT
	(envelope-from git)
Date: Sun, 6 Oct 2024 15:03:03 GMT
Message-Id: <202410061503.496F337v048261@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: ca3d8480ec0c - stable/13 - vmm: avoid potential KASSERT
  kernel panic in vm_handle_db
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: ca3d8480ec0c06fc74ea95fbf074b975802ecf30
Auto-Submitted: auto-generated

The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=ca3d8480ec0c06fc74ea95fbf074b975802ecf30

commit ca3d8480ec0c06fc74ea95fbf074b975802ecf30
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-07-25 14:40:35 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-06 15:02:51 +0000

    vmm: avoid potential KASSERT kernel panic in vm_handle_db
    
    If the guest VM emits the exit code VM_EXITCODE_DB the kernel will
    execute the function named vm_handle_db.
    
    If the value of rsp is not page aligned and if rsp+sizeof(uint64_t)
    spans across two pages, the function vm_copy_setup will need two structs
    vm_copyinfo to prepare the copy operation.
    
    For instance is rsp value is 0xFFC, two vm_copyinfo objects are needed:
    
    * address=0xFFC, len=4
    * address=0x1000, len=4
    
    The vulnerability was addressed by commit 51fda658baa ("vmm: Properly
    handle writes spanning across two pages in vm_handle_db").  Still,
    replace the KASSERT with an error return as a more defensive approach.
    
    Reported by:    Synacktiv
    Reviewed by     markj, emaste
    Security:       HYP-09
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D46133
    
    (cherry picked from commit d19fa9c1b72bc52e51524abcc59ad844012ec365)
    (cherry picked from commit f8db6fb90e739293d6d72310fa554ede072f8232)
---
 sys/amd64/vmm/vmm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/amd64/vmm/vmm.c b/sys/amd64/vmm/vmm.c
index ac2dd4142dd0..1bf2077ef2a1 100644
--- a/sys/amd64/vmm/vmm.c
+++ b/sys/amd64/vmm/vmm.c
@@ -2728,7 +2728,8 @@ vm_copy_setup(struct vcpu *vcpu, struct vm_guest_paging *paging,
 	nused = 0;
 	remaining = len;
 	while (remaining > 0) {
-		KASSERT(nused < num_copyinfo, ("insufficient vm_copyinfo"));
+		if (nused >= num_copyinfo)
+			return (EFAULT);
 		error = vm_gla2gpa(vcpu, paging, gla, prot, &gpa, fault);
 		if (error || *fault)
 			return (error);