git: 27029bc08f1d - main - vmm: fix use after free in ppt_detach()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 20 Jan 2023 20:25:32 UTC
The branch main has been updated by rew: URL: https://cgit.FreeBSD.org/src/commit/?id=27029bc08f1d7fdb39b2aee6ff8263f68dd93495 commit 27029bc08f1d7fdb39b2aee6ff8263f68dd93495 Author: Robert Wing <rew@FreeBSD.org> AuthorDate: 2023-01-20 11:25:27 +0000 Commit: Robert Wing <rew@FreeBSD.org> CommitDate: 2023-01-20 11:25:27 +0000 vmm: fix use after free in ppt_detach() The vmm module destroys the host_domain before unloading the ppt module causing a use after free. This can happen when kldunload'ing vmm. Reviewed by: markj, jhb Differential Revision: https://reviews.freebsd.org/D38072 --- sys/amd64/vmm/intel/vtd.c | 2 ++ sys/amd64/vmm/io/iommu.c | 1 + sys/amd64/vmm/io/ppt.c | 4 +++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/sys/amd64/vmm/intel/vtd.c b/sys/amd64/vmm/intel/vtd.c index 8f06dc823364..21e81223f6ee 100644 --- a/sys/amd64/vmm/intel/vtd.c +++ b/sys/amd64/vmm/intel/vtd.c @@ -446,6 +446,8 @@ vtd_add_device(void *arg, uint16_t rid) struct vtdmap *vtdmap; uint8_t bus; + KASSERT(dom != NULL, ("domain is NULL")); + bus = PCI_RID2BUS(rid); ctxp = ctx_tables[bus]; pt_paddr = vtophys(dom->ptp); diff --git a/sys/amd64/vmm/io/iommu.c b/sys/amd64/vmm/io/iommu.c index 6a589f153815..01ce29539ec2 100644 --- a/sys/amd64/vmm/io/iommu.c +++ b/sys/amd64/vmm/io/iommu.c @@ -258,6 +258,7 @@ iommu_cleanup(void) } IOMMU_DISABLE(); IOMMU_DESTROY_DOMAIN(host_domain); + host_domain = NULL; IOMMU_CLEANUP(); } diff --git a/sys/amd64/vmm/io/ppt.c b/sys/amd64/vmm/io/ppt.c index edb65a3ac07b..26dad1832b10 100644 --- a/sys/amd64/vmm/io/ppt.c +++ b/sys/amd64/vmm/io/ppt.c @@ -182,7 +182,9 @@ ppt_detach(device_t dev) num_pptdevs--; TAILQ_REMOVE(&pptdev_list, ppt, next); pci_disable_busmaster(dev); - iommu_add_device(iommu_host_domain(), pci_get_rid(dev)); + + if (iommu_host_domain() != NULL) + iommu_add_device(iommu_host_domain(), pci_get_rid(dev)); return (0); }