Date: Sun, 19 Jul 2020 23:42:46 +0000 (UTC) From: Chuck Tuffli <chuck@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r363348 - stable/12/usr.sbin/bhyve Message-ID: <202007192342.06JNgk6C071037@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: chuck Date: Sun Jul 19 23:42:46 2020 New Revision: 363348 URL: https://svnweb.freebsd.org/changeset/base/363348 Log: MFC r362758 bhyve: validate NVMe deallocate range values Modified: stable/12/usr.sbin/bhyve/pci_nvme.c Directory Properties: stable/12/ (props changed) Modified: stable/12/usr.sbin/bhyve/pci_nvme.c ============================================================================== --- stable/12/usr.sbin/bhyve/pci_nvme.c Sun Jul 19 23:40:34 2020 (r363347) +++ stable/12/usr.sbin/bhyve/pci_nvme.c Sun Jul 19 23:42:46 2020 (r363348) @@ -1876,6 +1876,11 @@ nvme_opc_dataset_mgmt(struct pci_nvme_softc *sc, nvme_prp_memcpy(sc->nsc_pi->pi_vmctx, cmd->prp1, cmd->prp2, (uint8_t *)range, NVME_MAX_DSM_TRIM, NVME_COPY_FROM_PRP); + if ((range[0].starting_lba * sectsz) > nvstore->size) { + pci_nvme_status_genc(status, NVME_SC_LBA_OUT_OF_RANGE); + goto out; + } + /* * If the request is for more than a single range, store * the ranges in the br_iov. Optimize for the common case @@ -1895,6 +1900,10 @@ nvme_opc_dataset_mgmt(struct pci_nvme_softc *sc, struct iovec *iov = req->io_req.br_iov; for (r = 0; r <= nr; r++) { + if ((range[r].starting_lba * sectsz) > nvstore->size) { + pci_nvme_status_genc(status, NVME_SC_LBA_OUT_OF_RANGE); + goto out; + } iov[r].iov_base = (void *)(range[r].starting_lba * sectsz); iov[r].iov_len = range[r].length * sectsz; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007192342.06JNgk6C071037>