Date: Mon, 30 May 2022 09:52:03 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 264347] bhyve guest can cause access beyond end of pci_xhci.c's ep_sctx_trbs[] array Message-ID: <bug-264347-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264347 Bug ID: 264347 Summary: bhyve guest can cause access beyond end of pci_xhci.c's ep_sctx_trbs[] array Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: rtm@lcs.mit.edu Bhyve's pci_xhci_init_ep() allocates space for multiple streams if the guest asks for them: pstreams =3D XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0); if (pstreams > 0) { ...; devep->ep_sctx_trbs =3D calloc(pstreams, sizeof(struct pci_xhci_trb_ring)); So if the guest asks for one stream, only devep->ep_sctx_trbs[0] is valid. ep_sctx_trbs[] is used in pci_xhci_device_doorbell(): if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) !=3D 0) { /* * Stream IDs of 0, 65535 (any stream), and 65534 * (prime) are invalid. */ if (streamid =3D=3D 0 || streamid =3D=3D 65534 || streamid = =3D=3D 65535) { DPRINTF(("pci_xhci: invalid stream")); return; } ...; sctx_tr =3D &devep->ep_sctx_trbs[streamid]; ...; ringaddr =3D sctx_tr->ringaddr; But here, if the guest asks for one stream, the code requires streamid to be 1, and thus indexes beyond the end of ep_sctx_trbs[]. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-264347-27103>