From nobody Fri Apr 01 09:19:40 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4111C1A443DC; Fri, 1 Apr 2022 09:19:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KVF4F1BcMz3G1s; Fri, 1 Apr 2022 09:19:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648804781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=d96+taj/wwwGV90dF5TfCtFZlpOO02W1cSWDzVRUawY=; b=cvvhBzaurJoGxELQ+b7NQxE46mr2jvM/04NEEVP6LAGMnkL3CqMj0joz+L8ZhyFVQyt9uO 7pf2llErR7XQ8/FupIPIcEekYrRSQDYtSmfL4RsrZYUevSH6YIpN+0uAQTBkR8OksuhLV+ DI3w0yRIRpFbUtBZPH3cCNq2ooEgFxuitaE7jXHie9QHSxJ4tdgDfVWNlubSDUuSkVbK/m 970T9srIcvEDUZnggY7MSv8ueSoDqEaJC62t/FOf7PSA9Zi56R51NOVJ69hesIIC15Sv2o kIWw47SwX8ZyWQg2Gox/DWVWxjC5CJuJa1b3GJCYcwd2NANsN99tdZgBVgzpVA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 05B8E119DB; Fri, 1 Apr 2022 09:19:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2319JesU091557; Fri, 1 Apr 2022 09:19:40 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2319JewQ091556; Fri, 1 Apr 2022 09:19:40 GMT (envelope-from git) Date: Fri, 1 Apr 2022 09:19:40 GMT Message-Id: <202204010919.2319JewQ091556@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Emmanuel Vadot Subject: git: 45ddbf211274 - main - bhyve: avoid overflow of BAR index List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: manu X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 45ddbf211274eb28c0ccd0042640de57015dd390 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648804781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=d96+taj/wwwGV90dF5TfCtFZlpOO02W1cSWDzVRUawY=; b=lTUalaShjRsYUF7BzIzIwMRIZGObMQor5gYhIFBIvRyXQ1wsfW+xi/sCWyJvYY0r9pt+Wl KiurJvzW2teDTa92ZLIsUZaqNCwGEYRDwUngMLPvFTOwvrgJjwPkygTu4W4DQkajkl1Yq6 JEolwdWU7O/uQy1rCMCn6am9Ekb72Sgws+xf36jX7vq0SDB3lxRFr5mwP6oe7WfdkWHHas cN+1NNaNc1flyGePCEJrGbSLm0FY4dnf1mY9E9zR99M+e2h4ey4gRyOTMbU7xvNwIsoY0g fmhnUBzqwi+wo8FvNHTaG95diXiVydTyTXlkfSoMEyXwI+z79tiVSu+gckOfSg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648804781; a=rsa-sha256; cv=none; b=jTMdxZQDMoVaPOvOsWLFMYAsPqX4kpMRighIH9NGsMmqnpkHVrFLBEZyaMQ5JWTZrNk9tq a4sYSUghO8JUGHQOD1+l4hrXc/u+26dFBK2mT1bBo5Pg71XJUxt2K0JDH2JbQEqTw+ijlw k4oqHW+8FAJKXFUuVl264lqt7RJ43y9Ox5Ygd/TYUAIXfkJm/CLnSvRuf/xUvDeJ/zSSC2 U6Au6i9YRecoGxrbcfdNOraerake3seO3abXcS6UPMtkmyFZTU3InmKEqt7PkNjg51Rqcx IKd66gD11uQoJD7tzbfOJoHYtT6BP+o+HvOOfrVbqzvDJz3i+YnTTvaJx0yGsQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by manu: URL: https://cgit.FreeBSD.org/src/commit/?id=45ddbf211274eb28c0ccd0042640de57015dd390 commit 45ddbf211274eb28c0ccd0042640de57015dd390 Author: Corvin Köhne AuthorDate: 2022-04-01 08:18:52 +0000 Commit: Emmanuel Vadot CommitDate: 2022-04-01 09:13:16 +0000 bhyve: avoid overflow of BAR index At the moment, writes to BAR registers that aren't 4 byte aligned are ignored. So, there's no overflow yet. Nevertheless, if this behaviour changes in the future, it could unintentionally, introduce a buffer overflow. Additionally, some compiler or tools will detect this potential overflow and complain about it. Reviewed by: markj Signed-off-by: Corvin Köhne Reported-by: Andy Fiddaman Differential Revision: https://reviews.freebsd.org/D34689 --- usr.sbin/bhyve/pci_emul.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/usr.sbin/bhyve/pci_emul.c b/usr.sbin/bhyve/pci_emul.c index 6005513eafe4..ab90c01c2394 100644 --- a/usr.sbin/bhyve/pci_emul.c +++ b/usr.sbin/bhyve/pci_emul.c @@ -166,6 +166,18 @@ CFGREAD(struct pci_devinst *pi, int coff, int bytes) return (pci_get_cfgdata32(pi, coff)); } +static int +is_pcir_bar(int coff) +{ + return (coff >= PCIR_BAR(0) && coff < PCIR_BAR(PCI_BARMAX + 1)); +} + +static int +is_pcir_bios(int coff) +{ + return (coff >= PCIR_BIOS && coff < PCIR_BIOS + 4); +} + /* * I/O access */ @@ -2107,19 +2119,23 @@ pci_cfgrw(struct vmctx *ctx, int vcpu, int in, int bus, int slot, int func, /* * Special handling for write to BAR and ROM registers */ - if ((coff >= PCIR_BAR(0) && coff < PCIR_BAR(PCI_BARMAX + 1)) || - (coff >= PCIR_BIOS && coff < PCIR_BIOS + 4)) { + if (is_pcir_bar(coff) || is_pcir_bios(coff)) { /* * Ignore writes to BAR registers that are not * 4-byte aligned. */ if (bytes != 4 || (coff & 0x3) != 0) return; - if (coff != PCIR_BIOS) { + + if (is_pcir_bar(coff)) { idx = (coff - PCIR_BAR(0)) / 4; - } else { + } else if (is_pcir_bios(coff)) { idx = PCI_ROM_IDX; + } else { + errx(4, "%s: invalid BAR offset %d", __func__, + coff); } + mask = ~(pi->pi_bar[idx].size - 1); switch (pi->pi_bar[idx].type) { case PCIBAR_NONE: