Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 19 Nov 2022 17:49:15 +0000
From:      bugzilla-noreply@freebsd.org
To:        virtualization@FreeBSD.org
Subject:   [Bug 264177] bhyve: Guest can cause a crash in bhyve nvme emulation
Message-ID:  <bug-264177-27103-YbyQumwiuV@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-264177-27103@https.bugs.freebsd.org/bugzilla/>
References:  <bug-264177-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264177

--- Comment #6 from commit-hook@FreeBSD.org ---
A commit in branch stable/13 references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=3Da00b97054a504792eb6fa028728726f5c=
37744c3

commit a00b97054a504792eb6fa028728726f5c37744c3
Author:     Chuck Tuffli <chuck@FreeBSD.org>
AuthorDate: 2022-06-09 18:19:32 +0000
Commit:     Chuck Tuffli <chuck@FreeBSD.org>
CommitDate: 2022-11-20 01:48:45 +0000

    bhyve nvme: Fix out-of-bound IOV array access

    Summary:
    NVMe operations indicate the memory region(s) associated with a command
    via physical region pages (PRPs). Since each PRP has a fixed size,
    contiguous memory regions larger than the PRP size require multiple PRP
    entries.

    Instead of issuing a blockif call for each PRP, the NVMe emulation
    concatenates multiple contiguous PRP entries into a single blockif
    request. The test for contiguous regions has a bug such that it
    mistakenly treats an initial PRP address of zero as a contiguous range
    and concatenates it with the previous. But because there is no previous
    IOV, the concatenation code corrupts the IO request structure and leads
    to a segmentation fault when the blockif request completes.

    Fix is to test for the existence of a previous range before trying to
    concatenate the current range with the previous one.

    While in the area, rename pci_nvme_append_iov_req()'s lba parameter to
    offset to match its usage.

    PR:             264177

    (cherry picked from commit 88951aaaee73b87121b0f121224fe188a5b5e6e3)

 usr.sbin/bhyve/pci_nvme.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

--=20
You are receiving this mail because:
You are on the CC list for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-264177-27103-YbyQumwiuV>