From nobody Thu Aug 25 17:31:39 2022
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MD94X2NHkz4b31L;
	Thu, 25 Aug 2022 17:31:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MD94X1V6Kz3L0V;
	Thu, 25 Aug 2022 17:31:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1661448700;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/6ZPKwVLCvmAlwR8NcdkAOiQodSEVtNmJHhfb9Kbdzk=;
	b=I/eQflcLmps9g7TBeW3S2gT+1nqqgQIqq3cOxIma7O38qs4HAbVsJtfTpTTZODaB5jqAs3
	tXRn52lK3yG02hnU4LdpEEqis5fH2lmmmIDDQsgG2GJytj5S9CmzhzoQwTv65zI+LpASQv
	+AFJjmrlrkghb8CBJ2b2eHe9SB94axU69nGi9LSalnqUUQWOf/K0oswTTnlcg8i+M+NAuW
	lrkEwD0bT/P5vnDm9XC//NMZbyGSbV0/uWdrr9Be6A0LzqpR+oiTgozwnXXAWlQK/PRQUJ
	UPxIyw4bqI4eQ8D84O3Iyj/Z69nPvzaYl1o72/ir98XeUVuDlLojlYKLcKJA+g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MD94X0HpszwvG;
	Thu, 25 Aug 2022 17:31:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 27PHVdZT043455;
	Thu, 25 Aug 2022 17:31:39 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 27PHVdmG043454;
	Thu, 25 Aug 2022 17:31:39 GMT
	(envelope-from git)
Date: Thu, 25 Aug 2022 17:31:39 GMT
Message-Id: <202208251731.27PHVdmG043454@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: ff5d46d7f9a1 - stable/13 - bhyve e1000: Skip packets with a small header.
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: ff5d46d7f9a1042acdc0abf6a8f47e0d3fc9d446
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1661448700;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/6ZPKwVLCvmAlwR8NcdkAOiQodSEVtNmJHhfb9Kbdzk=;
	b=XI1UDSlVeAAg1UZa0uTJcJq4/0KzQAPJG4KrRB0egCU6RXVmuKmTgcb5Ovm8PojJwhe0PS
	a7A6B9/qo8h3sXNXNjlPbA1dVuERsRQYuuFFTFBYxHYvAzlTy0MNV7s4ve9ve68u8Z/23n
	WC8t3LgQt/+K2IH6qiianAEKtCEOudFbIjPjJSUvln6rTVO510j8cSbdU+kO3AvQOxZe+r
	6hJKgnD++6nFBpGqt1sq4nESIO9LBnBkEdYYMI0ohcOesy7Qu0I9IC80ohqS0xY5mJzZsf
	g+mST502qMsTE1882XQw1mfs8IDx8DJWX1SrjnFK5n13+274W2aEm9XfMFQmOw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1661448700; a=rsa-sha256; cv=none;
	b=Kvk3RDV4UgdrhsomQzfwr2TLmP6E53t3tqu0dK1z3S3VYCq7UG9j4IgQOwagBIJbwf64KL
	6YIdXSzS6q7Tk+BWKAC4zFnjsyEJBRlvUZ6KdZ9Rh4oASoviGU5PXz07lw//TxQNk7uR6K
	xmTUtKiie9FXyKo6ASHpFhZtuaz6wHvRTg0vJmMPpT8S5mFSuMkQ85Bs9smrI1AC9arW59
	7jSUZ+g4DIq5uCKNz6gDcIsJ+LYSi5m97D6hDdqsKIy3op/GjUkjIopS4QkQDjAEeUNRnL
	LTW879/QxqDed0AUPpuM1kwLReMza/+qy2UOERQTJuhovCukLTItyGCQfJ4cfQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=ff5d46d7f9a1042acdc0abf6a8f47e0d3fc9d446

commit ff5d46d7f9a1042acdc0abf6a8f47e0d3fc9d446
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-08-17 17:01:16 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-08-25 16:37:38 +0000

    bhyve e1000: Skip packets with a small header.
    
    Certain operations such as checksum insertion and VLAN insertion
    require the device model to rewrite the packet header.  The first step
    in rewriting the packet header is to copy the existing packet header
    from the source packet.  This copy is done by copying data from an
    iovec array that corresponds to the S/G entries described by transmit
    descriptors.  However, if the total packet length is smaller than the
    headers that need to be copied as the initial template, this copy can
    overflow the iovec array and use garbage values as the source pointer
    to memcpy.  The PR used a single descriptor with a length of 0 in its
    PoC.
    
    To fix, track the total packet length and drop requests to transmit
    packets whose payload is smaller than the required header length.
    
    While here, fix another issue where the final descriptor could have an
    invalid length (too short) that could underflow 'len' when stripping
    the checksum.  Skip those requests instead, too.
    
    PR:             264372
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    grehan, markj
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D36182
    
    (cherry picked from commit fa46f3704b7618f9d9493c126df781faf59040a8)
---
 usr.sbin/bhyve/pci_e82545.c | 41 +++++++++++++++++++++++++++++------------
 1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c
index ff92ee0ed4cc..63820ae71f2c 100644
--- a/usr.sbin/bhyve/pci_e82545.c
+++ b/usr.sbin/bhyve/pci_e82545.c
@@ -233,7 +233,7 @@ struct ck_info {
  * Debug printf
  */
 static int e82545_debug = 0;
-#define WPRINTF(msg,params...) PRINTLN("e82545: " msg, params)
+#define WPRINTF(msg,params...) PRINTLN("e82545: " msg, ##params)
 #define DPRINTF(msg,params...) if (e82545_debug) WPRINTF(msg, params)
 
 #define	MIN(a,b) (((a)<(b))?(a):(b))
@@ -1086,15 +1086,18 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 	union  e1000_tx_udesc *dsc;
 	int desc, dtype, len, ntype, iovcnt, tcp, tso;
 	int mss, paylen, seg, tiovcnt, left, now, nleft, nnow, pv, pvoff;
-	unsigned hdrlen, vlen;
+	unsigned hdrlen, vlen, pktlen;
 	uint32_t tcpsum, tcpseq;
 	uint16_t ipcs, tcpcs, ipid, ohead;
+	bool invalid;
 
 	ckinfo[0].ck_valid = ckinfo[1].ck_valid = 0;
 	iovcnt = 0;
 	ntype = 0;
 	tso = 0;
+	pktlen = 0;
 	ohead = head;
+	invalid = false;
 
 	/* iovb[0/1] may be used for writable copy of headers. */
 	iov = &iovb[2];
@@ -1144,17 +1147,23 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 		len = (dtype == E1000_TXD_TYP_L) ? dsc->td.lower.flags.length :
 		    dsc->dd.lower.data & 0xFFFFF;
 
-		if (len > 0) {
-			/* Strip checksum supplied by guest. */
-			if ((dsc->td.lower.data & E1000_TXD_CMD_EOP) != 0 &&
-			    (dsc->td.lower.data & E1000_TXD_CMD_IFCS) == 0)
+		/* Strip checksum supplied by guest. */
+		if ((dsc->td.lower.data & E1000_TXD_CMD_EOP) != 0 &&
+		    (dsc->td.lower.data & E1000_TXD_CMD_IFCS) == 0) {
+			if (len <= 2) {
+				WPRINTF("final descriptor too short (%d) -- dropped",
+				    len);
+				invalid = true;
+			} else
 				len -= 2;
-			if (iovcnt < I82545_MAX_TXSEGS) {
-				iov[iovcnt].iov_base = paddr_guest2host(
-				    sc->esc_ctx, dsc->td.buffer_addr, len);
-				iov[iovcnt].iov_len = len;
-			}
+		}
+
+		if (len > 0 && iovcnt < I82545_MAX_TXSEGS) {
+			iov[iovcnt].iov_base = paddr_guest2host(sc->esc_ctx,
+			    dsc->td.buffer_addr, len);
+			iov[iovcnt].iov_len = len;
 			iovcnt++;
+			pktlen += len;
 		}
 
 		/*
@@ -1202,6 +1211,9 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 		}
 	}
 
+	if (invalid)
+		goto done;
+
 	if (iovcnt > I82545_MAX_TXSEGS) {
 		WPRINTF("tx too many descriptors (%d > %d) -- dropped",
 		    iovcnt, I82545_MAX_TXSEGS);
@@ -1295,8 +1307,13 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 		}
 	}
 
+	if (pktlen < hdrlen + vlen) {
+		WPRINTF("packet too small for writable header");
+		goto done;
+	}
+
 	/* Allocate, fill and prepend writable header vector. */
-	if (hdrlen != 0) {
+	if (hdrlen + vlen != 0) {
 		hdr = __builtin_alloca(hdrlen + vlen);
 		hdr += vlen;
 		for (left = hdrlen, hdrp = hdr; left > 0;