Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Jul 2019 17:48:37 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r350247 - stable/11/usr.sbin/bhyve
Message-ID:  <201907231748.x6NHmbLt094211@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: emaste
Date: Tue Jul 23 17:48:37 2019
New Revision: 350247
URL: https://svnweb.freebsd.org/changeset/base/350247

Log:
  MFC r350244: bhyve: correct out-of-bounds read in XHCI device emulation
  
  Add appropriate bounds checks on the epid and streamid fields in the
  device doorbell registers.
  
  admbugs:	919
  Submitted by:	jhb
  Reported by:	Reno Robert <renorobert@gmail.com>
  Reviewed by:	markj
  Approved by:	so
  Security:	out-of-bounds read

Modified:
  stable/11/usr.sbin/bhyve/pci_xhci.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/usr.sbin/bhyve/pci_xhci.c
==============================================================================
--- stable/11/usr.sbin/bhyve/pci_xhci.c	Tue Jul 23 17:48:37 2019	(r350246)
+++ stable/11/usr.sbin/bhyve/pci_xhci.c	Tue Jul 23 17:48:37 2019	(r350247)
@@ -1900,6 +1900,11 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 		return;
 	}
 
+	if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) {
+		DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid));
+		return;
+	}
+
 	dev = XHCI_SLOTDEV_PTR(sc, slot);
 	devep = &dev->eps[epid];
 	dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
@@ -1925,6 +1930,23 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 
 	/* get next trb work item */
 	if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) {
+		struct xhci_stream_ctx *sctx;
+
+		/*
+		 * Stream IDs of 0, 65535 (any stream), and 65534
+		 * (prime) are invalid.
+		 */
+		if (streamid == 0 || streamid == 65534 || streamid == 65535) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
+
+		sctx = NULL;
+		pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx);
+		if (sctx == NULL) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
 		sctx_tr = &devep->ep_sctx_trbs[streamid];
 		ringaddr = sctx_tr->ringaddr;
 		ccs = sctx_tr->ccs;
@@ -1933,6 +1955,10 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 		        streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT,
 		        trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT));
 	} else {
+		if (streamid != 0) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
 		ringaddr = devep->ep_ringaddr;
 		ccs = devep->ep_ccs;
 		trb = devep->ep_tr;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907231748.x6NHmbLt094211>