Date: Mon, 23 May 2022 15:10:14 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 264177] guest can cause a crash in bhyve nvme emulation Message-ID: <bug-264177-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264177 Bug ID: 264177 Summary: guest can cause a crash in bhyve nvme emulation Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: rtm@lcs.mit.edu In bhyve's pci_nvme_append_iov_req(), if the guest provides a zero prp1 (i.e. gpaddr) for an I/O operation, then this code runs: if ((req->prev_gpaddr + req->prev_size) =3D=3D gpaddr) { iovidx =3D req->io_req.br_iovcnt - 1; ...; req->prev_size +=3D size; ...; req->io_req.br_iov[iovidx].iov_len =3D req->prev_size; prev_gpaddr, prev_size, and br_iovcnt are all ordinarily zero at this point. So iovidx =3D -1, and the assignment to br_iov[iovidx].iov_len actually overwrites io_req.br_param. This later causes a bad pointer dereference in pci_nvme_io_done(): struct pci_nvme_ioreq *req =3D br->br_param; struct nvme_submission_queue *sq =3D req->nvme_sq; You can see this happen if you boot a FreeBSD guest kernel in bhyve with an nvme device, after modifying the guest kernel's nvme_payload_map() in /sys/dev/nvme/nvme_qpair.c to set tr->req->cmd.prp1 to zero when it is called for the third time. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-264177-27103>