[Bug 264177] bhyve: Guest can cause a crash in bhyve nvme emulation
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 264177] guest can cause a crash in bhyve nvme emulation"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 13 Aug 2022 19:19:40 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264177 --- Comment #5 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=88951aaaee73b87121b0f121224fe188a5b5e6e3 commit 88951aaaee73b87121b0f121224fe188a5b5e6e3 Author: Chuck Tuffli <chuck@FreeBSD.org> AuthorDate: 2022-06-09 18:19:32 +0000 Commit: Chuck Tuffli <chuck@FreeBSD.org> CommitDate: 2022-08-13 19:16:02 +0000 bhyve nvme: Fix out-of-bound IOV array access Summary: NVMe operations indicate the memory region(s) associated with a command via physical region pages (PRPs). Since each PRP has a fixed size, contiguous memory regions larger than the PRP size require multiple PRP entries. Instead of issuing a blockif call for each PRP, the NVMe emulation concatenates multiple contiguous PRP entries into a single blockif request. The test for contiguous regions has a bug such that it mistakenly treats an initial PRP address of zero as a contiguous range and concatenates it with the previous. But because there is no previous IOV, the concatenation code corrupts the IO request structure and leads to a segmentation fault when the blockif request completes. Fix is to test for the existence of a previous range before trying to concatenate the current range with the previous one. While in the area, rename pci_nvme_append_iov_req()'s lba parameter to offset to match its usage. PR: 264177 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: jhb MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D35328 usr.sbin/bhyve/pci_nvme.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug.