From nobody Thu Sep 26 20:38:01 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XF55P57q4z5Xkw5; Thu, 26 Sep 2024 20:38:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XF55P4ddhz4G7L; Thu, 26 Sep 2024 20:38:01 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727383081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7et0GZSfrFZOaCgzCclb/BQ0by4QPdiE0W54n+yy4LM=; b=V5iitLLxpgrQmHAA2ILgjvczdHJO8wlDpf09I205CF9nvnwKU3aksXbX77EXGXQ6Gz62DR 2sOgpTtksTFgf0WnQ31G5xzSagvmcEj6PsCjDOwoWk1BlP1g971GsAsH8eMi60UharDa9s E1+IKNBixB4TjRSp+2MO1MHwdZHbAwBI7KDnGzUZHdQ39HZy9aYDf8ti+ekHzemkX0f7U5 jo8H3MCaLj1SCGKbOosZZEYZAJLmAEV0NWj1HGKdT4gFJ6R7Yt6ZQqJNIz4+6e9d+MWiI/ RBxzto/neNM5/Ka1sWhMNC7fkVxBLqIrndyFdN6w35m1+gSvaqh92cnrYuoCnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727383081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7et0GZSfrFZOaCgzCclb/BQ0by4QPdiE0W54n+yy4LM=; b=b1n1+imuIewFG11EFMSD7HNuTrQYfuFbF6aGhQW+d2mz3G3dDkVeQLPMHLs5w060D5t9JO qw7iDobIzEe7ZYlibN/fhx2D01bK3K9wavnvWz0CInwOEGCD1QhCjIPljNIEbx6+3bxH2L 6mzonexNwpG45bL3GEWdf47xlcKzyI+tYreZEhgmdIE5IHqTpLdqXO7amFpUG/PiVyiWtE PvHQk+wTOkq7EkjRWV6vHMbpyrEaCQx2fRtcoAM5D+2lwN9/kc+pLP5IVaZIaHpK/75XER 0HubjIygZP33M83neC/schG4wPD4UMyZWkmyftMcHz+OebhZ8zMVUG6WYGg+9A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1727383081; a=rsa-sha256; cv=none; b=Li6oMAWupgwl8as2S9JgKi5pzpja36N3oxLRRQrhq8U8FU/zxPFlY93qOH18Vnt0Wq10qc aq10AQlWG/XtHvhfNSnitZAZmaDCwTWgFmIGCveq0KXOyNk2ROod06yUZQLkudPgyYARYd Fkmnv6uHUowS4X+5NxiRY5RfL6Y56hVx8gpWnZwQux7F407Rj0nVlt0YMxVwYQbHYx/50y gi/rQtvDebNiimHR/yBg4e3t8HRkITFbF62C9tm/TrVtXhRmV20bnEc38rXjX7es/0EFs+ hYvgmJ6v+wPWEH7jfjFzwPVG7WBKr0pJA4cZvZNGhS3vT0YqGdAZdEU1/o4n2g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XF55P448Cz19S1; Thu, 26 Sep 2024 20:38:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48QKc1wq029148; Thu, 26 Sep 2024 20:38:01 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48QKc17r029145; Thu, 26 Sep 2024 20:38:01 GMT (envelope-from git) Date: Thu, 26 Sep 2024 20:38:01 GMT Message-Id: <202409262038.48QKc17r029145@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: 71fa171c6480 - main - bhyve: Initialize stack buffer in pci_ahci List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 71fa171c6480d60f4d9c01dea1c71a7249e7b8ab Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=71fa171c6480d60f4d9c01dea1c71a7249e7b8ab commit 71fa171c6480d60f4d9c01dea1c71a7249e7b8ab Author: Pierre Pronchery AuthorDate: 2024-07-23 14:34:03 +0000 Commit: Ed Maste CommitDate: 2024-09-26 18:06:10 +0000 bhyve: Initialize stack buffer in pci_ahci In the function ahci_handle_dsm_trim, if the call to read_prdt fails, the variable buf[512] is used while it contains uninitialized data. It is easy to make the call to read_prdt fail, for instance if hdr->prdtl == NULL, the function will return without writing anything in buf. In addition, this code could be hardened by checking the value of done before accessing &buf[done]. Reported by: Synacktiv Reviewed by: markj Security: HYP-15 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46090 --- usr.sbin/bhyve/pci_ahci.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bhyve/pci_ahci.c b/usr.sbin/bhyve/pci_ahci.c index 636df5c6e9b1..87a8212b9fb7 100644 --- a/usr.sbin/bhyve/pci_ahci.c +++ b/usr.sbin/bhyve/pci_ahci.c @@ -781,7 +781,7 @@ ahci_handle_flush(struct ahci_port *p, int slot, uint8_t *cfis) assert(err == 0); } -static inline void +static inline unsigned int read_prdt(struct ahci_port *p, int slot, uint8_t *cfis, void *buf, unsigned int size) { @@ -808,6 +808,7 @@ read_prdt(struct ahci_port *p, int slot, uint8_t *cfis, void *buf, to += sublen; prdt++; } + return (size - len); } static void @@ -820,6 +821,7 @@ ahci_handle_dsm_trim(struct ahci_port *p, int slot, uint8_t *cfis, uint32_t done uint32_t len, elen; int err, first, ncq; uint8_t buf[512]; + unsigned int written; first = (done == 0); if (cfis[2] == ATA_DATA_SET_MANAGEMENT) { @@ -831,9 +833,12 @@ ahci_handle_dsm_trim(struct ahci_port *p, int slot, uint8_t *cfis, uint32_t done len *= 512; ncq = 1; } - read_prdt(p, slot, cfis, buf, sizeof(buf)); + written = read_prdt(p, slot, cfis, buf, sizeof(buf)); + memset(buf + written, 0, sizeof(buf) - written); next: + if (done >= sizeof(buf) - 8) + return; entry = &buf[done]; elba = ((uint64_t)entry[5] << 40) | ((uint64_t)entry[4] << 32) |