From owner-svn-src-head@freebsd.org Mon Jun 29 00:32:41 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 680133597B4; Mon, 29 Jun 2020 00:32:41 +0000 (UTC) (envelope-from chuck@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49w7jz5mw7z43YH; Mon, 29 Jun 2020 00:32:39 +0000 (UTC) (envelope-from chuck@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BDD291EAC7; Mon, 29 Jun 2020 00:31:58 +0000 (UTC) (envelope-from chuck@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 05T0VwwM049826; Mon, 29 Jun 2020 00:31:58 GMT (envelope-from chuck@FreeBSD.org) Received: (from chuck@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 05T0VwS7049825; Mon, 29 Jun 2020 00:31:58 GMT (envelope-from chuck@FreeBSD.org) Message-Id: <202006290031.05T0VwS7049825@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: chuck set sender to chuck@FreeBSD.org using -f From: Chuck Tuffli Date: Mon, 29 Jun 2020 00:31:58 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r362758 - head/usr.sbin/bhyve X-SVN-Group: head X-SVN-Commit-Author: chuck X-SVN-Commit-Paths: head/usr.sbin/bhyve X-SVN-Commit-Revision: 362758 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jun 2020 00:32:41 -0000 Author: chuck Date: Mon Jun 29 00:31:58 2020 New Revision: 362758 URL: https://svnweb.freebsd.org/changeset/base/362758 Log: bhyve: validate NVMe deallocate range values For NVMe emulation, validate the Data Set Management LBA ranges do not exceed the capacity of the backing storage. If they do, return an "LBA Out of Range" error. Fixes UNH Test 2.2.3 Tested by: Jason Tubnor MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D24893 Modified: head/usr.sbin/bhyve/pci_nvme.c Modified: head/usr.sbin/bhyve/pci_nvme.c ============================================================================== --- head/usr.sbin/bhyve/pci_nvme.c Mon Jun 29 00:31:54 2020 (r362757) +++ head/usr.sbin/bhyve/pci_nvme.c Mon Jun 29 00:31:58 2020 (r362758) @@ -1877,6 +1877,11 @@ nvme_opc_dataset_mgmt(struct pci_nvme_softc *sc, nvme_prp_memcpy(sc->nsc_pi->pi_vmctx, cmd->prp1, cmd->prp2, (uint8_t *)range, NVME_MAX_DSM_TRIM, NVME_COPY_FROM_PRP); + if ((range[0].starting_lba * sectsz) > nvstore->size) { + pci_nvme_status_genc(status, NVME_SC_LBA_OUT_OF_RANGE); + goto out; + } + /* * If the request is for more than a single range, store * the ranges in the br_iov. Optimize for the common case @@ -1896,6 +1901,10 @@ nvme_opc_dataset_mgmt(struct pci_nvme_softc *sc, struct iovec *iov = req->io_req.br_iov; for (r = 0; r <= nr; r++) { + if ((range[r].starting_lba * sectsz) > nvstore->size) { + pci_nvme_status_genc(status, NVME_SC_LBA_OUT_OF_RANGE); + goto out; + } iov[r].iov_base = (void *)(range[r].starting_lba * sectsz); iov[r].iov_len = range[r].length * sectsz; }