git: 5f035df278cc - releng/13.4 - bhyve: improve input validation in pci_xhci
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 19 Sep 2024 13:35:06 UTC
The branch releng/13.4 has been updated by gordon: URL: https://cgit.FreeBSD.org/src/commit/?id=5f035df278ccb4ac0b87ad38eb5dc20b8dfbf48e commit 5f035df278ccb4ac0b87ad38eb5dc20b8dfbf48e Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2024-07-17 15:04:23 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2024-09-19 13:33:55 +0000 bhyve: improve input validation in pci_xhci Several functions did not validate the slot index resulting in OOB read on the heap of the slot device structure which could lead to arbitrary reads/writes and potentially code execution. Reported by: Synacktiv Reviewed by: markj (earlier), jhb Approved by: so Approved by: re (cperciva) Security: FreeBSD-SA-24:15.bhyve Security: CVE-2024-41721 Security: HYP-02 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45996 (cherry picked from commit e72d86ad9c62c8054d7977a71f08e68ef755c132) (cherry picked from commit 419da61f8203ac475550ae4b0971dbef10f811f2) (cherry picked from commit 2abd2ad648994e8444f479e54773a36311f522e5) --- usr.sbin/bhyve/pci_xhci.c | 78 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 73 insertions(+), 5 deletions(-) diff --git a/usr.sbin/bhyve/pci_xhci.c b/usr.sbin/bhyve/pci_xhci.c index 93161affd732..06c71a6643a6 100644 --- a/usr.sbin/bhyve/pci_xhci.c +++ b/usr.sbin/bhyve/pci_xhci.c @@ -579,7 +579,7 @@ pci_xhci_get_dev_ctx(struct pci_xhci_softc *sc, uint32_t slot) uint64_t devctx_addr; struct xhci_dev_ctx *devctx; - assert(slot > 0 && slot <= XHCI_MAX_DEVS); + assert(slot > 0 && slot <= XHCI_MAX_SLOTS); assert(XHCI_SLOTDEV_PTR(sc, slot) != NULL); assert(sc->opregs.dcbaa_p != NULL); @@ -852,7 +852,10 @@ pci_xhci_cmd_disable_slot(struct pci_xhci_softc *sc, uint32_t slot) if (sc->portregs == NULL) goto done; - if (slot > XHCI_MAX_SLOTS) { + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; goto done; } @@ -888,6 +891,14 @@ pci_xhci_cmd_reset_device(struct pci_xhci_softc *sc, uint32_t slot) DPRINTF(("pci_xhci reset device slot %u", slot)); + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } + dev = XHCI_SLOTDEV_PTR(sc, slot); if (!dev || dev->dev_slotstate == XHCI_ST_DISABLED) cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; @@ -896,6 +907,10 @@ pci_xhci_cmd_reset_device(struct pci_xhci_softc *sc, uint32_t slot) dev->hci.hci_address = 0; dev_ctx = pci_xhci_get_dev_ctx(sc, slot); + if (dev_ctx == NULL) { + cmderr = XHCI_TRB_ERROR_PARAMETER; + goto done; + } /* slot state */ dev_ctx->ctx_slot.dwSctx3 = FIELD_REPLACE( @@ -956,8 +971,20 @@ pci_xhci_cmd_address_device(struct pci_xhci_softc *sc, uint32_t slot, goto done; } + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } + /* assign address to slot */ dev_ctx = pci_xhci_get_dev_ctx(sc, slot); + if (dev_ctx == NULL) { + cmderr = XHCI_TRB_ERROR_PARAMETER; + goto done; + } DPRINTF(("pci_xhci: address device, dev ctx")); DPRINTF((" slot %08x %08x %08x %08x", @@ -1018,6 +1045,14 @@ pci_xhci_cmd_config_ep(struct pci_xhci_softc *sc, uint32_t slot, DPRINTF(("pci_xhci config_ep slot %u", slot)); + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } + dev = XHCI_SLOTDEV_PTR(sc, slot); assert(dev != NULL); @@ -1031,6 +1066,10 @@ pci_xhci_cmd_config_ep(struct pci_xhci_softc *sc, uint32_t slot, dev->hci.hci_address = 0; dev_ctx = pci_xhci_get_dev_ctx(sc, slot); + if (dev_ctx == NULL) { + cmderr = XHCI_TRB_ERROR_PARAMETER; + goto done; + } /* number of contexts */ dev_ctx->ctx_slot.dwSctx0 = FIELD_REPLACE( @@ -1137,11 +1176,19 @@ pci_xhci_cmd_reset_ep(struct pci_xhci_softc *sc, uint32_t slot, cmderr = XHCI_TRB_ERROR_SUCCESS; - type = XHCI_TRB_3_TYPE_GET(trb->dwTrb3); + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } dev = XHCI_SLOTDEV_PTR(sc, slot); assert(dev != NULL); + type = XHCI_TRB_3_TYPE_GET(trb->dwTrb3); + if (type == XHCI_TRB_TYPE_STOP_EP && (trb->dwTrb3 & XHCI_TRB_3_SUSP_EP_BIT) != 0) { /* XXX suspend endpoint for 10ms */ @@ -1226,6 +1273,14 @@ pci_xhci_cmd_set_tr(struct pci_xhci_softc *sc, uint32_t slot, cmderr = XHCI_TRB_ERROR_SUCCESS; + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } + dev = XHCI_SLOTDEV_PTR(sc, slot); assert(dev != NULL); @@ -1324,8 +1379,20 @@ pci_xhci_cmd_eval_ctx(struct pci_xhci_softc *sc, uint32_t slot, goto done; } + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } + /* assign address to slot; in this emulation, slot_id = address */ dev_ctx = pci_xhci_get_dev_ctx(sc, slot); + if (dev_ctx == NULL) { + cmderr = XHCI_TRB_ERROR_PARAMETER; + goto done; + } DPRINTF(("pci_xhci: eval ctx, dev ctx")); DPRINTF((" slot %08x %08x %08x %08x", @@ -1554,8 +1621,9 @@ pci_xhci_xfer_complete(struct pci_xhci_softc *sc, struct usb_data_xfer *xfer, dev = XHCI_SLOTDEV_PTR(sc, slot); devep = &dev->eps[epid]; dev_ctx = pci_xhci_get_dev_ctx(sc, slot); - - assert(dev_ctx != NULL); + if (dev_ctx == NULL) { + return XHCI_TRB_ERROR_PARAMETER; + } ep_ctx = &dev_ctx->ctx_ep[epid];