[Bug 264567] bhyve's e82545_transmit() can index beyond the end of the tx descriptors

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264567] bhyve's e82545_transmit() can index beyond the end of the tx descriptors"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 09 Jun 2022 09:32:02 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264567

            Bug ID: 264567
           Summary: bhyve's e82545_transmit() can index beyond the end of
                    the tx descriptors
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bhyve
          Assignee: virtualization@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

When it is first executed, e82545_tx_run() passes whatever it finds in
sc->esc_TDH to e82545_transmit() as the head index, and the latter
uses the index without any check:

                dsc = &sc->esc_txdesc[head];

The guest can specify any 16-bit TDH by writing the E1000_TDH(0)
register. So it can cause e82545_transmit() to try to read a host
address up to a megabyte beyond the end of guest memory. And can cause
e82545_transmit_done() to try to write there.

-- 
You are receiving this mail because:
You are the assignee for the bug.