svn commit: r350247 - stable/11/usr.sbin/bhyve

Tue, 23 Jul 2019 10:49:35 -0700 

Author: emaste
Date: Tue Jul 23 17:48:37 2019
New Revision: 350247
URL: https://svnweb.freebsd.org/changeset/base/350247
Log:
  MFC r350244: bhyve: correct out-of-bounds read in XHCI device emulation
  
  Add appropriate bounds checks on the epid and streamid fields in the
  device doorbell registers.
  
  admbugs:      919
  Submitted by: jhb
  Reported by:  Reno Robert <renorob...@gmail.com>
  Reviewed by:  markj
  Approved by:  so
  Security:     out-of-bounds read

Modified:
  stable/11/usr.sbin/bhyve/pci_xhci.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/usr.sbin/bhyve/pci_xhci.c
==============================================================================
--- stable/11/usr.sbin/bhyve/pci_xhci.c Tue Jul 23 17:48:37 2019        
(r350246)
+++ stable/11/usr.sbin/bhyve/pci_xhci.c Tue Jul 23 17:48:37 2019        
(r350247)
@@ -1900,6 +1900,11 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
                return;
        }
 
+       if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) {
+               DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid));
+               return;
+       }
+
        dev = XHCI_SLOTDEV_PTR(sc, slot);
        devep = &dev->eps[epid];
        dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
@@ -1925,6 +1930,23 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 
        /* get next trb work item */
        if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) {
+               struct xhci_stream_ctx *sctx;
+
+               /*
+                * Stream IDs of 0, 65535 (any stream), and 65534
+                * (prime) are invalid.
+                */
+               if (streamid == 0 || streamid == 65534 || streamid == 65535) {
+                       DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+                       return;
+               }
+
+               sctx = NULL;
+               pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx);
+               if (sctx == NULL) {
+                       DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+                       return;
+               }
                sctx_tr = &devep->ep_sctx_trbs[streamid];
                ringaddr = sctx_tr->ringaddr;
                ccs = sctx_tr->ccs;
@@ -1933,6 +1955,10 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
                        streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT,
                        trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT));
        } else {
+               if (streamid != 0) {
+                       DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+                       return;
+               }
                ringaddr = devep->ep_ringaddr;
                ccs = devep->ep_ccs;
                trb = devep->ep_tr;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to