Date: Mon, 30 May 2022 09:52:03 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 264347] bhyve guest can cause access beyond end of pci_xhci.c's ep_sctx_trbs[] array Message-ID: <bug-264347-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264347 Bug ID: 264347 Summary: bhyve guest can cause access beyond end of pci_xhci.c's ep_sctx_trbs[] array Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: rtm@lcs.mit.edu Bhyve's pci_xhci_init_ep() allocates space for multiple streams if the guest asks for them: pstreams = XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0); if (pstreams > 0) { ...; devep->ep_sctx_trbs = calloc(pstreams, sizeof(struct pci_xhci_trb_ring)); So if the guest asks for one stream, only devep->ep_sctx_trbs[0] is valid. ep_sctx_trbs[] is used in pci_xhci_device_doorbell(): if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) { /* * Stream IDs of 0, 65535 (any stream), and 65534 * (prime) are invalid. */ if (streamid == 0 || streamid == 65534 || streamid == 65535) { DPRINTF(("pci_xhci: invalid stream")); return; } ...; sctx_tr = &devep->ep_sctx_trbs[streamid]; ...; ringaddr = sctx_tr->ringaddr; But here, if the guest asks for one stream, the code requires streamid to be 1, and thus indexes beyond the end of ep_sctx_trbs[]. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-264347-27103>