Date: Thu, 09 Jun 2022 09:32:02 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 264567] bhyve's e82545_transmit() can index beyond the end of the tx descriptors Message-ID: <bug-264567-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264567 Bug ID: 264567 Summary: bhyve's e82545_transmit() can index beyond the end of the tx descriptors Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: rtm@lcs.mit.edu When it is first executed, e82545_tx_run() passes whatever it finds in sc->esc_TDH to e82545_transmit() as the head index, and the latter uses the index without any check: dsc =3D &sc->esc_txdesc[head]; The guest can specify any 16-bit TDH by writing the E1000_TDH(0) register. So it can cause e82545_transmit() to try to read a host address up to a megabyte beyond the end of guest memory. And can cause e82545_transmit_done() to try to write there. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-264567-27103>