git: 5f035df278cc - releng/13.4 - bhyve: improve input validation in pci_xhci

From: Gordon Tetlow <gordon_at_FreeBSD.org>
Date: Thu, 19 Sep 2024 13:35:06 UTC
The branch releng/13.4 has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=5f035df278ccb4ac0b87ad38eb5dc20b8dfbf48e

commit 5f035df278ccb4ac0b87ad38eb5dc20b8dfbf48e
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-07-17 15:04:23 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-09-19 13:33:55 +0000

    bhyve: improve input validation in pci_xhci
    
    Several functions did not validate the slot index resulting in OOB read
    on the heap of the slot device structure which could lead to arbitrary
    reads/writes and potentially code execution.
    
    Reported by:    Synacktiv
    Reviewed by:    markj (earlier), jhb
    Approved by:    so
    Approved by:    re (cperciva)
    Security:       FreeBSD-SA-24:15.bhyve
    Security:       CVE-2024-41721
    Security:       HYP-02
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D45996
    
    (cherry picked from commit e72d86ad9c62c8054d7977a71f08e68ef755c132)
    (cherry picked from commit 419da61f8203ac475550ae4b0971dbef10f811f2)
    (cherry picked from commit 2abd2ad648994e8444f479e54773a36311f522e5)
---
 usr.sbin/bhyve/pci_xhci.c | 78 ++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 73 insertions(+), 5 deletions(-)

diff --git a/usr.sbin/bhyve/pci_xhci.c b/usr.sbin/bhyve/pci_xhci.c
index 93161affd732..06c71a6643a6 100644
--- a/usr.sbin/bhyve/pci_xhci.c
+++ b/usr.sbin/bhyve/pci_xhci.c
@@ -579,7 +579,7 @@ pci_xhci_get_dev_ctx(struct pci_xhci_softc *sc, uint32_t slot)
 	uint64_t devctx_addr;
 	struct xhci_dev_ctx *devctx;
 
-	assert(slot > 0 && slot <= XHCI_MAX_DEVS);
+	assert(slot > 0 && slot <= XHCI_MAX_SLOTS);
 	assert(XHCI_SLOTDEV_PTR(sc, slot) != NULL);
 	assert(sc->opregs.dcbaa_p != NULL);
 
@@ -852,7 +852,10 @@ pci_xhci_cmd_disable_slot(struct pci_xhci_softc *sc, uint32_t slot)
 	if (sc->portregs == NULL)
 		goto done;
 
-	if (slot > XHCI_MAX_SLOTS) {
+	if (slot == 0) {
+		cmderr = XHCI_TRB_ERROR_TRB;
+		goto done;
+	} else if (slot > XHCI_MAX_SLOTS) {
 		cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
 		goto done;
 	}
@@ -888,6 +891,14 @@ pci_xhci_cmd_reset_device(struct pci_xhci_softc *sc, uint32_t slot)
 
 	DPRINTF(("pci_xhci reset device slot %u", slot));
 
+	if (slot == 0) {
+		cmderr = XHCI_TRB_ERROR_TRB;
+		goto done;
+	} else if (slot > XHCI_MAX_SLOTS) {
+		cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+		goto done;
+	}
+
 	dev = XHCI_SLOTDEV_PTR(sc, slot);
 	if (!dev || dev->dev_slotstate == XHCI_ST_DISABLED)
 		cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
@@ -896,6 +907,10 @@ pci_xhci_cmd_reset_device(struct pci_xhci_softc *sc, uint32_t slot)
 
 		dev->hci.hci_address = 0;
 		dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
+		if (dev_ctx == NULL) {
+			cmderr = XHCI_TRB_ERROR_PARAMETER;
+			goto done;
+		}
 
 		/* slot state */
 		dev_ctx->ctx_slot.dwSctx3 = FIELD_REPLACE(
@@ -956,8 +971,20 @@ pci_xhci_cmd_address_device(struct pci_xhci_softc *sc, uint32_t slot,
 		goto done;
 	}
 
+	if (slot == 0) {
+		cmderr = XHCI_TRB_ERROR_TRB;
+		goto done;
+	} else if (slot > XHCI_MAX_SLOTS) {
+		cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+		goto done;
+	}
+
 	/* assign address to slot */
 	dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
+	if (dev_ctx == NULL) {
+		cmderr = XHCI_TRB_ERROR_PARAMETER;
+		goto done;
+	}
 
 	DPRINTF(("pci_xhci: address device, dev ctx"));
 	DPRINTF(("          slot %08x %08x %08x %08x",
@@ -1018,6 +1045,14 @@ pci_xhci_cmd_config_ep(struct pci_xhci_softc *sc, uint32_t slot,
 
 	DPRINTF(("pci_xhci config_ep slot %u", slot));
 
+	if (slot == 0) {
+		cmderr = XHCI_TRB_ERROR_TRB;
+		goto done;
+	} else if (slot > XHCI_MAX_SLOTS) {
+		cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+		goto done;
+	}
+
 	dev = XHCI_SLOTDEV_PTR(sc, slot);
 	assert(dev != NULL);
 
@@ -1031,6 +1066,10 @@ pci_xhci_cmd_config_ep(struct pci_xhci_softc *sc, uint32_t slot,
 
 		dev->hci.hci_address = 0;
 		dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
+		if (dev_ctx == NULL) {
+			cmderr = XHCI_TRB_ERROR_PARAMETER;
+			goto done;
+		}
 
 		/* number of contexts */
 		dev_ctx->ctx_slot.dwSctx0 = FIELD_REPLACE(
@@ -1137,11 +1176,19 @@ pci_xhci_cmd_reset_ep(struct pci_xhci_softc *sc, uint32_t slot,
 
 	cmderr = XHCI_TRB_ERROR_SUCCESS;
 
-	type = XHCI_TRB_3_TYPE_GET(trb->dwTrb3);
+	if (slot == 0) {
+		cmderr = XHCI_TRB_ERROR_TRB;
+		goto done;
+	} else if (slot > XHCI_MAX_SLOTS) {
+		cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+		goto done;
+	}
 
 	dev = XHCI_SLOTDEV_PTR(sc, slot);
 	assert(dev != NULL);
 
+	type = XHCI_TRB_3_TYPE_GET(trb->dwTrb3);
+
 	if (type == XHCI_TRB_TYPE_STOP_EP &&
 	    (trb->dwTrb3 & XHCI_TRB_3_SUSP_EP_BIT) != 0) {
 		/* XXX suspend endpoint for 10ms */
@@ -1226,6 +1273,14 @@ pci_xhci_cmd_set_tr(struct pci_xhci_softc *sc, uint32_t slot,
 
 	cmderr = XHCI_TRB_ERROR_SUCCESS;
 
+	if (slot == 0) {
+		cmderr = XHCI_TRB_ERROR_TRB;
+		goto done;
+	} else if (slot > XHCI_MAX_SLOTS) {
+		cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+		goto done;
+	}
+
 	dev = XHCI_SLOTDEV_PTR(sc, slot);
 	assert(dev != NULL);
 
@@ -1324,8 +1379,20 @@ pci_xhci_cmd_eval_ctx(struct pci_xhci_softc *sc, uint32_t slot,
 		goto done;
 	}
 
+	if (slot == 0) {
+		cmderr = XHCI_TRB_ERROR_TRB;
+		goto done;
+	} else if (slot > XHCI_MAX_SLOTS) {
+		cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+		goto done;
+	}
+
 	/* assign address to slot; in this emulation, slot_id = address */
 	dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
+	if (dev_ctx == NULL) {
+		cmderr = XHCI_TRB_ERROR_PARAMETER;
+		goto done;
+	}
 
 	DPRINTF(("pci_xhci: eval ctx, dev ctx"));
 	DPRINTF(("          slot %08x %08x %08x %08x",
@@ -1554,8 +1621,9 @@ pci_xhci_xfer_complete(struct pci_xhci_softc *sc, struct usb_data_xfer *xfer,
 	dev = XHCI_SLOTDEV_PTR(sc, slot);
 	devep = &dev->eps[epid];
 	dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
-
-	assert(dev_ctx != NULL);
+	if (dev_ctx == NULL) {
+		return XHCI_TRB_ERROR_PARAMETER;
+	}
 
 	ep_ctx = &dev_ctx->ctx_ep[epid];