git: 5c9308a41308 - main - bhyve: fix off by one error in pci_xhci
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 04 Sep 2024 14:40:03 UTC
The branch main has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=5c9308a4130858598c76f3ae6e3e3dfb41ccfe68
commit 5c9308a4130858598c76f3ae6e3e3dfb41ccfe68
Author: Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-09-04 14:38:11 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-04 14:38:11 +0000
bhyve: fix off by one error in pci_xhci
The function pci_xhci_find_stream validates that the streamid is valid
but the bound check accepts up to ep_MaxPStreams included.
The bug results in an out-of-bounds write on the heap with controlled
data.
Reported by: Synacktiv
Reviewed by: jhb
Security: FreeBSD-SA-24:12.bhyve
Security: CVE-2024-32668
Security: HYP-04
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45994
---
usr.sbin/bhyve/pci_xhci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr.sbin/bhyve/pci_xhci.c b/usr.sbin/bhyve/pci_xhci.c
index 8654dd9e7a14..b72c839c807b 100644
--- a/usr.sbin/bhyve/pci_xhci.c
+++ b/usr.sbin/bhyve/pci_xhci.c
@@ -660,7 +660,7 @@ pci_xhci_init_ep(struct pci_xhci_dev_emu *dev, int epid)
devep = &dev->eps[epid];
pstreams = XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0);
if (pstreams > 0) {
- DPRINTF(("init_ep %d with pstreams %d", epid, pstreams));
+ DPRINTF(("init_ep %d with pstreams %u", epid, pstreams));
assert(devep->ep_sctx_trbs == NULL);
devep->ep_sctx = XHCI_GADDR(dev->xsc, ep_ctx->qwEpCtx2 &
@@ -1202,7 +1202,7 @@ pci_xhci_find_stream(struct pci_xhci_softc *sc, struct xhci_endp_ctx *ep,
}
/* only support primary stream */
- if (streamid > devep->ep_MaxPStreams)
+ if (streamid >= devep->ep_MaxPStreams)
return (XHCI_TRB_ERROR_STREAM_TYPE);
sctx = (struct xhci_stream_ctx *)XHCI_GADDR(sc, ep->qwEpCtx2 & ~0xFUL) +