From nobody Sat Nov 19 18:46:14 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NF2fv1RLqz4hck6; Sat, 19 Nov 2022 18:46:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NF2fv0wRTz4DVb; Sat, 19 Nov 2022 18:46:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668883575; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IuPdNozV4SKTBOdcAPdWnCFjan2Ybo9adt6P7b1s710=; b=mXLaMvW7fJ3Cme5/okLCBBq97bxGW0+1ttLRZQvSTVV0/8hJD3gU7+y4NBhVtEVEZEZqsF n3AxOz3rw3s9gUStDrKI5oZUXTl8Ye6OF3GXGMcrMVLwxZm8YLU4pLzTkvyaOdQiaoq0Jb UMdMe6HSB6Qoi2s4ljF04IrFJ+/SsCxDg2bYsFBoaEkhZe+5AyjK6eHWRfPFfpoK6Tu0un TJyHm8krCY4wuYCFOb9S7+ai414VVv3BFZkX4oEMj7TpEkoTF0sZ/Jdyf5yDnVOL2pB0xp XqewDq9y7vv414+ZKAc9iqzFusAWhhmVI115cQdLtD5NPTX+D9vDQ194FmtwBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668883575; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IuPdNozV4SKTBOdcAPdWnCFjan2Ybo9adt6P7b1s710=; b=yjSUDIWJziTDUZ3dfMdZLEbA7nrhpX86y+JcbbEewQKn8mtmNnivNn/yymKb9l5TeltJEx m+6lEDnkTVRWWwO2rDhm8qgogAFxt0Qn7XftrywzMg5xJq7S02W8gQwnuo6J0cjUFQSAdp 1RBDHXXSdr3D4yJpUzVeH0OrJ8atHJVkYfZMRxSy+QMfxMbOVm4+lOaBS/5D1oqmiBo8R4 XS+BxClRYlEQQVT3FbmDKDusM/Z/RWJFXE9viB4VJPr4XFb39Qfwu9gXt8qPmnj+0mCGrm /lue2N0bRUkOQqK1v+t2GYBOlsJrt5DW/SM1gkqdI7dt5uI9vw7NP0dm1GfejQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668883575; a=rsa-sha256; cv=none; b=yiK+bcUYvX+r6mddZ9XXMCvFhF83DzB1xzxrEiDSzoR9bDqsaxtXIKvW8cA5mNmSuD9o0m Qo7oh+rqqmjyAHcRuB1H/qM1dIo64zUaDxIedgtgPQYvllhY1TkZPRAWavvnZA9sI4zA1h upaXGcN2R30iEY7g33JRI5QOaPlQf/CJ5HBl/ICeQ9GRvLrwu9M1xAv5qI7O0lpiXFIe7G rlWYRhdwpDcIe78H8X4iadUE9G98zSJcgqLxMptB0zN0XxiHOwE84TzV6AJ2a8rf6PrPs6 K91jL72jz9W5f/miJZu4Ma3jmcfxMCyoCVnyATK5Z4lzSgcbL45Kl09YpZkHcA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NF2ft6vcPzwSW; Sat, 19 Nov 2022 18:46:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2AJIkEVK010239; Sat, 19 Nov 2022 18:46:14 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2AJIkEKI010238; Sat, 19 Nov 2022 18:46:14 GMT (envelope-from git) Date: Sat, 19 Nov 2022 18:46:14 GMT Message-Id: <202211191846.2AJIkEKI010238@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Chuck Tuffli Subject: git: f3a69bc7223a - stable/13 - bhyve nvme: Check return value of mapped memory List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: chuck X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: f3a69bc7223ad3fc04e417a88e6bb878aa3bfaf2 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by chuck: URL: https://cgit.FreeBSD.org/src/commit/?id=f3a69bc7223ad3fc04e417a88e6bb878aa3bfaf2 commit f3a69bc7223ad3fc04e417a88e6bb878aa3bfaf2 Author: Chuck Tuffli AuthorDate: 2022-08-14 14:45:21 +0000 Commit: Chuck Tuffli CommitDate: 2022-11-20 02:21:32 +0000 bhyve nvme: Check return value of mapped memory Fuzzing of bhyve using hyfuzz discovered a way to cause a segmentation fault in the NVMe emulation. If a guest specifies a physical address in either the PRP1 or PRP2 field of a command that cannot be mapped from guest to host, the function paddr_guest2host() returns a NULL pointer. The NVMe emulation did not check for this error case, which allowed for the segmentation fault to occur. Fix is to check for a return value of NULL and indicate an error back to the guest (Data Transfer error). While in the area, slightly refactor the write/read blockif function to use a common error exit path. PR: 256317,256319,256320,256321,256322 (cherry picked from commit 3d3678627c3112c94d174a8c51d8c058d02befb3) --- usr.sbin/bhyve/pci_nvme.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/usr.sbin/bhyve/pci_nvme.c b/usr.sbin/bhyve/pci_nvme.c index d133d4817665..6004cc91707b 100644 --- a/usr.sbin/bhyve/pci_nvme.c +++ b/usr.sbin/bhyve/pci_nvme.c @@ -2219,6 +2219,8 @@ pci_nvme_append_iov_req(struct pci_nvme_softc *sc, struct pci_nvme_ioreq *req, req->io_req.br_iov[iovidx].iov_base = paddr_guest2host(req->sc->nsc_pi->pi_vmctx, req->prev_gpaddr, size); + if (req->io_req.br_iov[iovidx].iov_base == NULL) + return (-1); req->prev_size += size; req->io_req.br_resid += size; @@ -2235,6 +2237,8 @@ pci_nvme_append_iov_req(struct pci_nvme_softc *sc, struct pci_nvme_ioreq *req, req->io_req.br_iov[iovidx].iov_base = paddr_guest2host(req->sc->nsc_pi->pi_vmctx, gpaddr, size); + if (req->io_req.br_iov[iovidx].iov_base == NULL) + return (-1); req->io_req.br_iov[iovidx].iov_len = size; @@ -2420,8 +2424,7 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc, size = MIN(PAGE_SIZE - (prp1 % PAGE_SIZE), bytes); if (pci_nvme_append_iov_req(sc, req, prp1, size, is_write, offset)) { - pci_nvme_status_genc(&status, - NVME_SC_DATA_TRANSFER_ERROR); + err = -1; goto out; } @@ -2434,8 +2437,7 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc, size = bytes; if (pci_nvme_append_iov_req(sc, req, prp2, size, is_write, offset)) { - pci_nvme_status_genc(&status, - NVME_SC_DATA_TRANSFER_ERROR); + err = -1; goto out; } } else { @@ -2451,6 +2453,10 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc, prp_list = paddr_guest2host(vmctx, prp, PAGE_SIZE - (prp % PAGE_SIZE)); + if (prp_list == NULL) { + err = -1; + goto out; + } last = prp_list + (NVME_PRP2_ITEMS - 1); } @@ -2458,8 +2464,7 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc, if (pci_nvme_append_iov_req(sc, req, *prp_list, size, is_write, offset)) { - pci_nvme_status_genc(&status, - NVME_SC_DATA_TRANSFER_ERROR); + err = -1; goto out; } @@ -2474,10 +2479,10 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc, err = blockif_write(nvstore->ctx, &req->io_req); else err = blockif_read(nvstore->ctx, &req->io_req); - +out: if (err) pci_nvme_status_genc(&status, NVME_SC_DATA_TRANSFER_ERROR); -out: + return (status); }