From nobody Tue Oct 29 18:49:55 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XdK7R4zPlz5bnD1;
	Tue, 29 Oct 2024 18:49:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XdK7R4JNZz446Q;
	Tue, 29 Oct 2024 18:49:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1730227795;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=mTO/0CbQKx+G1dfH+n0w0RyYed77mpjUuwkKpLAiWUY=;
	b=gCnDRF8KHEiSoazTaaXz2I/FwM+Wvhx+YSgVw2+OMxJ7N1LMU15p5+QEJUiyVsb6OcU2c0
	OmBgY8jOKREfr1SVVOy+CnPR+sXlP4yNQHgFl+I0wYU9bknQPK3bmTfTTnDO82jEMadzlL
	fSYbSnBLuvJyrqdHwmNrgI8gfgs35qCG2XwIPKhcKv9bWlNxV/eFvkAAurkObjiHTrrGvP
	0GAiXUh9JZfGdmwKkscbpGGmasdy1p2kWWloJIsNd1FgWSF62ef+8qt1xr0tUbaqu26rdg
	zKgQgEYMu30OOScA2Gy8KjkVsekYBXOBsf5dF1yKspQ94bQqOmv3jS/Pdd++SA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1730227795;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=mTO/0CbQKx+G1dfH+n0w0RyYed77mpjUuwkKpLAiWUY=;
	b=Z4wzR/PB/YZIfpLkgSlUmPfBdXczaKyV6RhwPp4gGfu0ypqQZZAT+www5hBDlcSyokiecI
	Y/GRIG+1E310nfTqF0Fmf55IjCXsA8401wY/V4lyQ8FMIF0AHUGX0Lk1HxCPDnB2SOLZhu
	AH5ztdpGi3C+Zag6MFDxdstV7p19SURSKmOU+Jo+GqKn6WKeE3ArcCISm0r4g1Y9TTr66X
	rFkQNM6QTMdhC1nolGQL39l/N4460ZcZvpHZPiStxUt4/xf20216mbb4YW8LQDMxZBnO4H
	GHfIWA2jR5OTvNLaWiKZqztFZK9SdqCStFXgCfQC81s3zI9GcCi31yHV/wlbCQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730227795; a=rsa-sha256; cv=none;
	b=FqjsUEf8GXklJHeeAyutXRQwaqc4cwvq7Id0Kj7SgpOLwhm2B8r3h5PyrP7jE06gKz4n8g
	La5JbQcEkZ4Ho4Dbdy/q5n1yjD9TvJw2lR9G6PgSP22DpH4FW3MNf4sv28YQbI0K6gbfKQ
	F3vzNsP/hZEykn/fQjbOaOjPKAeqKXc4aQA3DaivshjOvoicqI+iuqNz+F7wRl6bqARRBw
	gdYxqZGnwssdKpcxBxmHGTrKTQw71PxJf9rpYWdqTlZknr1fMfgTz61nIVJ78yS6o8JBok
	xI3Fw4S7npSn43Ol2xbXn3F9p7vVhUIp0iJJdlScBNaVdydf3FLnHw1Xbalk1Q==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XdK7R3ttyzb98;
	Tue, 29 Oct 2024 18:49:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 49TInttG018716;
	Tue, 29 Oct 2024 18:49:55 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 49TInttv018713;
	Tue, 29 Oct 2024 18:49:55 GMT
	(envelope-from git)
Date: Tue, 29 Oct 2024 18:49:55 GMT
Message-Id: <202410291849.49TInttv018713@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: 5d07a7e902fa - releng/13.4 - bhyve/nvme: Fix Infinite
  loop in queue processing
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/13.4
X-Git-Reftype: branch
X-Git-Commit: 5d07a7e902fa225b9aee635b0073491d54bcc307
Auto-Submitted: auto-generated

The branch releng/13.4 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=5d07a7e902fa225b9aee635b0073491d54bcc307

commit 5d07a7e902fa225b9aee635b0073491d54bcc307
Author:     Chuck Tuffli <chuck@FreeBSD.org>
AuthorDate: 2024-10-13 13:58:48 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-29 18:49:18 +0000

    bhyve/nvme: Fix Infinite loop in queue processing
    
    In the functions pci_nvme_handle_admin_cmd and pci_nvme_handle_io_cmd
    infinite loops are possible in the bhyve process if the sq->tail value
    is greater than sq->size.
    
    An attacker could overload the host CPU.
    
    Fix is to validate that doorbell values:
     - Are for a valid (i.e., created) queue
     - Are not the same as the previous value
     - Fit within the available capacity
    
    The emulation will generate an Asynchronous Event Notification (Invalid
    Doorbell or Invalid Doorbell Value) if enabled and ignore the doorbell
    update.
    
    While in the neighborhood, remove a redundant bounds check.
    
    Reported by:    Synacktiv
    MFC after:      1 week
    Security:       HYP-14
    Security:       FreeBSD-SA-24:17.bhyve
    Approved by:    so
    Sponsored by:   Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D46064
    
    (cherry picked from commit 5374b9e146811757540e35553a7712c5b9b29239)
    (cherry picked from commit 86ba5941b132c73476a2a1b76ae53902a027b81c)
    (cherry picked from commit df1a36fdfae603ce298b8396ae3388d337c3c5b3)
---
 usr.sbin/bhyve/pci_nvme.c | 81 ++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 73 insertions(+), 8 deletions(-)

diff --git a/usr.sbin/bhyve/pci_nvme.c b/usr.sbin/bhyve/pci_nvme.c
index cbe4d87b6f60..536f34ddb3ee 100644
--- a/usr.sbin/bhyve/pci_nvme.c
+++ b/usr.sbin/bhyve/pci_nvme.c
@@ -267,6 +267,17 @@ struct pci_nvme_aer {
 	uint16_t	cid;	/* Command ID of the submitted AER */
 };
 
+/** Asynchronous Event Information - Error */
+typedef enum {
+	PCI_NVME_AEI_ERROR_INVALID_DB,
+	PCI_NVME_AEI_ERROR_INVALID_DB_VALUE,
+	PCI_NVME_AEI_ERROR_DIAG_FAILURE,
+	PCI_NVME_AEI_ERROR_PERSISTANT_ERR,
+	PCI_NVME_AEI_ERROR_TRANSIENT_ERR,
+	PCI_NVME_AEI_ERROR_FIRMWARE_LOAD_ERR,
+	PCI_NVME_AEI_ERROR_MAX,
+} pci_nvme_async_event_info_error;
+
 /** Asynchronous Event Information - Notice */
 typedef enum {
 	PCI_NVME_AEI_NOTICE_NS_ATTR_CHANGED = 0,
@@ -2841,6 +2852,38 @@ complete:
 	pthread_mutex_unlock(&sq->mtx);
 }
 
+/*
+ * Check for invalid doorbell write values
+ * See NVM Express Base Specification, revision 2.0
+ * "Asynchronous Event Information - Error Status" for details
+ */
+static bool
+pci_nvme_sq_doorbell_valid(struct nvme_submission_queue *sq, uint64_t value)
+{
+	uint64_t	capacity;
+
+	/*
+	 * Queue empty : head == tail
+	 * Queue full  : head is one more than tail accounting for wrap
+	 * Therefore, can never have more than (size - 1) entries
+	 */
+	if (sq->head == sq->tail)
+		capacity = sq->size - 1;
+	else if (sq->head > sq->tail)
+		capacity = sq->size - (sq->head - sq->tail) - 1;
+	else
+		capacity = sq->tail - sq->head - 1;
+
+	if ((value == sq->tail) ||	/* same as previous */
+	    (value > capacity))	{	/* exceeds queue capacity */
+		EPRINTLN("%s: SQ size=%u head=%u tail=%u capacity=%lu value=%lu",
+		    __func__, sq->size, sq->head, sq->tail, capacity, value);
+		return false;
+	}
+
+	return true;
+}
+
 static void
 pci_nvme_handle_doorbell(struct pci_nvme_softc* sc,
 	uint64_t idx, int is_sq, uint64_t value)
@@ -2853,22 +2896,34 @@ pci_nvme_handle_doorbell(struct pci_nvme_softc* sc,
 			WPRINTF("%s queue index %lu overflow from "
 			         "guest (max %u)",
 			         __func__, idx, sc->num_squeues);
+			pci_nvme_aen_post(sc, PCI_NVME_AE_TYPE_ERROR,
+			    PCI_NVME_AEI_ERROR_INVALID_DB);
+			return;
+		}
+
+		if (sc->submit_queues[idx].qbase == NULL) {
+			WPRINTF("%s write to SQ %lu before created", __func__,
+			    idx);
+			pci_nvme_aen_post(sc, PCI_NVME_AE_TYPE_ERROR,
+			    PCI_NVME_AEI_ERROR_INVALID_DB);
+			return;
+		}
+
+		if (!pci_nvme_sq_doorbell_valid(&sc->submit_queues[idx], value)) {
+			EPRINTLN("%s write to SQ %lu of %lu invalid", __func__,
+			    idx, value);
+			pci_nvme_aen_post(sc, PCI_NVME_AE_TYPE_ERROR,
+			    PCI_NVME_AEI_ERROR_INVALID_DB_VALUE);
 			return;
 		}
 
 		atomic_store_short(&sc->submit_queues[idx].tail,
 		                   (uint16_t)value);
 
-		if (idx == 0) {
+		if (idx == 0)
 			pci_nvme_handle_admin_cmd(sc, value);
-		} else {
+		else {
 			/* submission queue; handle new entries in SQ */
-			if (idx > sc->num_squeues) {
-				WPRINTF("%s SQ index %lu overflow from "
-				         "guest (max %u)",
-				         __func__, idx, sc->num_squeues);
-				return;
-			}
 			pci_nvme_handle_io_cmd(sc, (uint16_t)idx);
 		}
 	} else {
@@ -2876,6 +2931,16 @@ pci_nvme_handle_doorbell(struct pci_nvme_softc* sc,
 			WPRINTF("%s queue index %lu overflow from "
 			         "guest (max %u)",
 			         __func__, idx, sc->num_cqueues);
+			pci_nvme_aen_post(sc, PCI_NVME_AE_TYPE_ERROR,
+			    PCI_NVME_AEI_ERROR_INVALID_DB);
+			return;
+		}
+
+		if (sc->compl_queues[idx].qbase == NULL) {
+			WPRINTF("%s write to CQ %lu before created", __func__,
+			    idx);
+			pci_nvme_aen_post(sc, PCI_NVME_AE_TYPE_ERROR,
+			    PCI_NVME_AEI_ERROR_INVALID_DB);
 			return;
 		}