git: bb245c142075 - releng/14.1 - bhyve: fix off by one error in pci_xhci

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Wed, 04 Sep 2024 21:07:34 UTC
The branch releng/14.1 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=bb245c1420753a68f9a17c1ee78ab84ddaf30b61

commit bb245c1420753a68f9a17c1ee78ab84ddaf30b61
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-09-04 14:38:11 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-04 20:46:54 +0000

    bhyve: fix off by one error in pci_xhci
    
    The function pci_xhci_find_stream validates that the streamid is valid
    but the bound check accepts up to ep_MaxPStreams included.
    
    The bug results in an out-of-bounds write on the heap with controlled
    data.
    
    Reported by:    Synacktiv
    Reviewed by:    jhb
    Security:       FreeBSD-SA-24:12.bhyve
    Security:       CVE-2024-32668
    Security:       HYP-04
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D45994
    
    (cherry picked from commit 5c9308a4130858598c76f3ae6e3e3dfb41ccfe68)
    (cherry picked from commit 90af1336ed5e3c8556147325c4841c68639c4b63)
    
    Approved by:    so
---
 usr.sbin/bhyve/pci_xhci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/bhyve/pci_xhci.c b/usr.sbin/bhyve/pci_xhci.c
index 99c1d20b3378..791c56a45f0b 100644
--- a/usr.sbin/bhyve/pci_xhci.c
+++ b/usr.sbin/bhyve/pci_xhci.c
@@ -660,7 +660,7 @@ pci_xhci_init_ep(struct pci_xhci_dev_emu *dev, int epid)
 	devep = &dev->eps[epid];
 	pstreams = XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0);
 	if (pstreams > 0) {
-		DPRINTF(("init_ep %d with pstreams %d", epid, pstreams));
+		DPRINTF(("init_ep %d with pstreams %u", epid, pstreams));
 		assert(devep->ep_sctx_trbs == NULL);
 
 		devep->ep_sctx = XHCI_GADDR(dev->xsc, ep_ctx->qwEpCtx2 &
@@ -1202,7 +1202,7 @@ pci_xhci_find_stream(struct pci_xhci_softc *sc, struct xhci_endp_ctx *ep,
 	}
 
 	/* only support primary stream */
-	if (streamid > devep->ep_MaxPStreams)
+	if (streamid >= devep->ep_MaxPStreams)
 		return (XHCI_TRB_ERROR_STREAM_TYPE);
 
 	sctx = (struct xhci_stream_ctx *)XHCI_GADDR(sc, ep->qwEpCtx2 & ~0xFUL) +