Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Jul 2019 12:56:07 +0000 (UTC)
From:      Gordon Tetlow <gordon@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r350285 - in releng: 11.2/usr.sbin/bhyve 11.3/usr.sbin/bhyve 12.0/usr.sbin/bhyve
Message-ID:  <201907241256.x6OCu7xM076540@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: gordon
Date: Wed Jul 24 12:56:06 2019
New Revision: 350285
URL: https://svnweb.freebsd.org/changeset/base/350285

Log:
  Fix byhve out-of-bounds read in XHCI device.
  
  Approved by:	so
  Security:	FreeBSD-SA-19:16.bhyve
  Security:	CVE-2019-5604

Modified:
  releng/11.2/usr.sbin/bhyve/pci_xhci.c
  releng/11.3/usr.sbin/bhyve/pci_xhci.c
  releng/12.0/usr.sbin/bhyve/pci_xhci.c

Modified: releng/11.2/usr.sbin/bhyve/pci_xhci.c
==============================================================================
--- releng/11.2/usr.sbin/bhyve/pci_xhci.c	Wed Jul 24 12:55:16 2019	(r350284)
+++ releng/11.2/usr.sbin/bhyve/pci_xhci.c	Wed Jul 24 12:56:06 2019	(r350285)
@@ -1898,6 +1898,11 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 		return;
 	}
 
+	if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) {
+		DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid));
+		return;
+	}
+
 	dev = XHCI_SLOTDEV_PTR(sc, slot);
 	devep = &dev->eps[epid];
 	dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
@@ -1923,6 +1928,23 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 
 	/* get next trb work item */
 	if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) {
+		struct xhci_stream_ctx *sctx;
+
+		/*
+		 * Stream IDs of 0, 65535 (any stream), and 65534
+		 * (prime) are invalid.
+		 */
+		if (streamid == 0 || streamid == 65534 || streamid == 65535) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
+
+		sctx = NULL;
+		pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx);
+		if (sctx == NULL) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
 		sctx_tr = &devep->ep_sctx_trbs[streamid];
 		ringaddr = sctx_tr->ringaddr;
 		ccs = sctx_tr->ccs;
@@ -1931,6 +1953,10 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 		        streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT,
 		        trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT));
 	} else {
+		if (streamid != 0) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
 		ringaddr = devep->ep_ringaddr;
 		ccs = devep->ep_ccs;
 		trb = devep->ep_tr;

Modified: releng/11.3/usr.sbin/bhyve/pci_xhci.c
==============================================================================
--- releng/11.3/usr.sbin/bhyve/pci_xhci.c	Wed Jul 24 12:55:16 2019	(r350284)
+++ releng/11.3/usr.sbin/bhyve/pci_xhci.c	Wed Jul 24 12:56:06 2019	(r350285)
@@ -1900,6 +1900,11 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 		return;
 	}
 
+	if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) {
+		DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid));
+		return;
+	}
+
 	dev = XHCI_SLOTDEV_PTR(sc, slot);
 	devep = &dev->eps[epid];
 	dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
@@ -1925,6 +1930,23 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 
 	/* get next trb work item */
 	if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) {
+		struct xhci_stream_ctx *sctx;
+
+		/*
+		 * Stream IDs of 0, 65535 (any stream), and 65534
+		 * (prime) are invalid.
+		 */
+		if (streamid == 0 || streamid == 65534 || streamid == 65535) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
+
+		sctx = NULL;
+		pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx);
+		if (sctx == NULL) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
 		sctx_tr = &devep->ep_sctx_trbs[streamid];
 		ringaddr = sctx_tr->ringaddr;
 		ccs = sctx_tr->ccs;
@@ -1933,6 +1955,10 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 		        streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT,
 		        trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT));
 	} else {
+		if (streamid != 0) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
 		ringaddr = devep->ep_ringaddr;
 		ccs = devep->ep_ccs;
 		trb = devep->ep_tr;

Modified: releng/12.0/usr.sbin/bhyve/pci_xhci.c
==============================================================================
--- releng/12.0/usr.sbin/bhyve/pci_xhci.c	Wed Jul 24 12:55:16 2019	(r350284)
+++ releng/12.0/usr.sbin/bhyve/pci_xhci.c	Wed Jul 24 12:56:06 2019	(r350285)
@@ -1900,6 +1900,11 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 		return;
 	}
 
+	if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) {
+		DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid));
+		return;
+	}
+
 	dev = XHCI_SLOTDEV_PTR(sc, slot);
 	devep = &dev->eps[epid];
 	dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
@@ -1925,6 +1930,23 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 
 	/* get next trb work item */
 	if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) {
+		struct xhci_stream_ctx *sctx;
+
+		/*
+		 * Stream IDs of 0, 65535 (any stream), and 65534
+		 * (prime) are invalid.
+		 */
+		if (streamid == 0 || streamid == 65534 || streamid == 65535) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
+
+		sctx = NULL;
+		pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx);
+		if (sctx == NULL) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
 		sctx_tr = &devep->ep_sctx_trbs[streamid];
 		ringaddr = sctx_tr->ringaddr;
 		ccs = sctx_tr->ccs;
@@ -1933,6 +1955,10 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 		        streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT,
 		        trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT));
 	} else {
+		if (streamid != 0) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
 		ringaddr = devep->ep_ringaddr;
 		ccs = devep->ep_ccs;
 		trb = devep->ep_tr;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907241256.x6OCu7xM076540>