From nobody Tue Oct 29 19:28:13 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XdKzf1pJbz5bq0D; Tue, 29 Oct 2024 19:28:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XdKzf0SfVz4HKw; Tue, 29 Oct 2024 19:28:14 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730230094; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QSyqg7fN1LVs/XzZTzGe5qXFvRBfv43BNnHvTNE6KF4=; b=XLyF5NgXo70cgA1GlgvKz5t6gPCdavjZV9k9elRpMxt8XMgm5/ttWPoSX6GlynyjdgOTwF 8TbO6Ptl2Yd/CjZeW+TdaYvemxY80KwsuZ1lCGrQlVi33Fl/3eEzVwChxNNaE91Vh3UGrd iE8zz96gdnC0cPLqfAJjTZUMbVXdGnxMPlS2pp1xnQ0/611zNxWqEdKhU25fr9Ikgi/6df LhblsObVePA459dCsq7b9YoJs7Rxe6A75tX+qjjjsRYPHi/sI4NyLXU9ZpwoK6XDjmNMJv UF7SlRgP3AXcLx27POaIFxELFrf+eYferrBjIqJ4c3OeCH5LQRBAhQ3FtVp3jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730230094; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QSyqg7fN1LVs/XzZTzGe5qXFvRBfv43BNnHvTNE6KF4=; b=AD3ybU9J7FbTDmbwwZyIHjaxiK2Y+yc8JfnkmDUnDgPIe5rZRHlvx9tlQAJiUeFkA3hou9 fRE1mGh7wVuxjo64WRp7CKrj4X2LTgZOjVz1908y3N59+1BFI2dxkjKQLO0cb1gktayRUw vDBsw5sKRSYxYNV7CFcsPfk21f5wX84ligx+IPPsvzWqUlu8DjZliRnkXepUw27lF/lNMU nfkVrddvSI6hA5fAqEIFsq2rFnVTHbrF6/Kry8xjIRAXsPAJtBK2QULA4ul9E89zfJ4lBB LhVmuuLplvaA1qMMici9i0P5UjJWNO5RIDBVrYx8SdGEC0+0c/IIhT+a5DQtJA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730230094; a=rsa-sha256; cv=none; b=mTRD92ng2WoLK6++/xoj4XcwjPqIFqMqgMGRsT1d7FtfgnASbyaI24e0phjaNa9J7Slzy5 gYk5bP0hW1gCaiw9DRdWBNK2K5ROHjyrfnaZdymMPB0hx9DuoEDpDb6/FKzVmtNTPdvkF+ E6KAOyEVjMwSONZaohBVoDF0eeKo6SHh1lVIue9yAaxPJ5cI/kOI2JcMggs7xpwIuBEI8I mDlCuFdzDNolaWiWJB5x1drM8KoIPi7kqX6AHPWPetsqn/uRC7NyUtSPjPNliJNNl2AMz6 FSaSZPhQBZLhqAZTlrQJcUOCPSmc2pulTBtuwzLDlp9cb1TNZuIGMRNm3O+/SQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XdKzf039xzcXj; Tue, 29 Oct 2024 19:28:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 49TJSD7t094322; Tue, 29 Oct 2024 19:28:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 49TJSDcg094319; Tue, 29 Oct 2024 19:28:13 GMT (envelope-from git) Date: Tue, 29 Oct 2024 19:28:13 GMT Message-Id: <202410291928.49TJSDcg094319@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: babfd2e46762 - stable/14 - bhyve: Initialize stack buffer in pci_ahci List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: babfd2e46762cb835fec66945aa60404f247c521 Auto-Submitted: auto-generated The branch stable/14 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=babfd2e46762cb835fec66945aa60404f247c521 commit babfd2e46762cb835fec66945aa60404f247c521 Author: Pierre Pronchery AuthorDate: 2024-07-23 14:34:03 +0000 Commit: Ed Maste CommitDate: 2024-10-29 19:19:45 +0000 bhyve: Initialize stack buffer in pci_ahci In the function ahci_handle_dsm_trim, if the call to read_prdt fails, the variable buf[512] is used while it contains uninitialized data. It is easy to make the call to read_prdt fail, for instance if hdr->prdtl == NULL, the function will return without writing anything in buf. In addition, this code could be hardened by checking the value of done before accessing &buf[done]. Reported by: Synacktiv Reviewed by: markj Security: HYP-15 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46090 (cherry picked from commit 71fa171c6480d60f4d9c01dea1c71a7249e7b8ab) --- usr.sbin/bhyve/pci_ahci.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bhyve/pci_ahci.c b/usr.sbin/bhyve/pci_ahci.c index 1eef285a871c..e4c877229425 100644 --- a/usr.sbin/bhyve/pci_ahci.c +++ b/usr.sbin/bhyve/pci_ahci.c @@ -782,7 +782,7 @@ ahci_handle_flush(struct ahci_port *p, int slot, uint8_t *cfis) assert(err == 0); } -static inline void +static inline unsigned int read_prdt(struct ahci_port *p, int slot, uint8_t *cfis, void *buf, unsigned int size) { @@ -809,6 +809,7 @@ read_prdt(struct ahci_port *p, int slot, uint8_t *cfis, void *buf, to += sublen; prdt++; } + return (size - len); } static void @@ -821,6 +822,7 @@ ahci_handle_dsm_trim(struct ahci_port *p, int slot, uint8_t *cfis, uint32_t done uint32_t len, elen; int err, first, ncq; uint8_t buf[512]; + unsigned int written; first = (done == 0); if (cfis[2] == ATA_DATA_SET_MANAGEMENT) { @@ -832,9 +834,12 @@ ahci_handle_dsm_trim(struct ahci_port *p, int slot, uint8_t *cfis, uint32_t done len *= 512; ncq = 1; } - read_prdt(p, slot, cfis, buf, sizeof(buf)); + written = read_prdt(p, slot, cfis, buf, sizeof(buf)); + memset(buf + written, 0, sizeof(buf) - written); next: + if (done >= sizeof(buf) - 8) + return; entry = &buf[done]; elba = ((uint64_t)entry[5] << 40) | ((uint64_t)entry[4] << 32) |