[Bug 264347] bhyve guest can cause access beyond end of pci_xhci.c's ep_sctx_trbs[] array
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264347] bhyve guest can cause access beyond end of pci_xhci.c's ep_sctx_trbs[] array"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264347] bhyve guest can cause access beyond end of pci_xhci.c's ep_sctx_trbs[] array"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 30 May 2022 09:52:03 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264347
Bug ID: 264347
Summary: bhyve guest can cause access beyond end of
pci_xhci.c's ep_sctx_trbs[] array
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bhyve
Assignee: virtualization@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Bhyve's pci_xhci_init_ep() allocates space for multiple streams if the
guest asks for them:
pstreams = XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0);
if (pstreams > 0) {
...;
devep->ep_sctx_trbs = calloc(pstreams,
sizeof(struct pci_xhci_trb_ring));
So if the guest asks for one stream, only devep->ep_sctx_trbs[0]
is valid.
ep_sctx_trbs[] is used in pci_xhci_device_doorbell():
if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) {
/*
* Stream IDs of 0, 65535 (any stream), and 65534
* (prime) are invalid.
*/
if (streamid == 0 || streamid == 65534 || streamid == 65535) {
DPRINTF(("pci_xhci: invalid stream"));
return;
}
...;
sctx_tr = &devep->ep_sctx_trbs[streamid];
...;
ringaddr = sctx_tr->ringaddr;
But here, if the guest asks for one stream, the code requires streamid
to be 1, and thus indexes beyond the end of ep_sctx_trbs[].
--
You are receiving this mail because:
You are the assignee for the bug.