git: 3c6c0dcb5acb - releng/14.1 - bhyve: improve input validation in pci_xhci
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 19 Sep 2024 13:30:18 UTC
The branch releng/14.1 has been updated by gordon:
URL: https://cgit.FreeBSD.org/src/commit/?id=3c6c0dcb5acbc4c98633006322281c592e4e4e24
commit 3c6c0dcb5acbc4c98633006322281c592e4e4e24
Author: Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-07-17 15:04:23 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-09-19 13:07:18 +0000
bhyve: improve input validation in pci_xhci
Several functions did not validate the slot index resulting in OOB read
on the heap of the slot device structure which could lead to arbitrary
reads/writes and potentially code execution.
Reported by: Synacktiv
Reviewed by: markj (earlier), jhb
Approved by: so
Security: FreeBSD-SA-24:15.bhyve
Security: CVE-2024-41721
Security: HYP-02
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45996
(cherry picked from commit e72d86ad9c62c8054d7977a71f08e68ef755c132)
(cherry picked from commit 419da61f8203ac475550ae4b0971dbef10f811f2)
---
usr.sbin/bhyve/pci_xhci.c | 78 ++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 73 insertions(+), 5 deletions(-)
diff --git a/usr.sbin/bhyve/pci_xhci.c b/usr.sbin/bhyve/pci_xhci.c
index 791c56a45f0b..77b17d525bdd 100644
--- a/usr.sbin/bhyve/pci_xhci.c
+++ b/usr.sbin/bhyve/pci_xhci.c
@@ -580,7 +580,7 @@ pci_xhci_get_dev_ctx(struct pci_xhci_softc *sc, uint32_t slot)
uint64_t devctx_addr;
struct xhci_dev_ctx *devctx;
- assert(slot > 0 && slot <= XHCI_MAX_DEVS);
+ assert(slot > 0 && slot <= XHCI_MAX_SLOTS);
assert(XHCI_SLOTDEV_PTR(sc, slot) != NULL);
assert(sc->opregs.dcbaa_p != NULL);
@@ -853,7 +853,10 @@ pci_xhci_cmd_disable_slot(struct pci_xhci_softc *sc, uint32_t slot)
if (sc->portregs == NULL)
goto done;
- if (slot > XHCI_MAX_SLOTS) {
+ if (slot == 0) {
+ cmderr = XHCI_TRB_ERROR_TRB;
+ goto done;
+ } else if (slot > XHCI_MAX_SLOTS) {
cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
goto done;
}
@@ -889,6 +892,14 @@ pci_xhci_cmd_reset_device(struct pci_xhci_softc *sc, uint32_t slot)
DPRINTF(("pci_xhci reset device slot %u", slot));
+ if (slot == 0) {
+ cmderr = XHCI_TRB_ERROR_TRB;
+ goto done;
+ } else if (slot > XHCI_MAX_SLOTS) {
+ cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+ goto done;
+ }
+
dev = XHCI_SLOTDEV_PTR(sc, slot);
if (!dev || dev->dev_slotstate == XHCI_ST_DISABLED)
cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
@@ -897,6 +908,10 @@ pci_xhci_cmd_reset_device(struct pci_xhci_softc *sc, uint32_t slot)
dev->hci.hci_address = 0;
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
+ if (dev_ctx == NULL) {
+ cmderr = XHCI_TRB_ERROR_PARAMETER;
+ goto done;
+ }
/* slot state */
dev_ctx->ctx_slot.dwSctx3 = FIELD_REPLACE(
@@ -957,8 +972,20 @@ pci_xhci_cmd_address_device(struct pci_xhci_softc *sc, uint32_t slot,
goto done;
}
+ if (slot == 0) {
+ cmderr = XHCI_TRB_ERROR_TRB;
+ goto done;
+ } else if (slot > XHCI_MAX_SLOTS) {
+ cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+ goto done;
+ }
+
/* assign address to slot */
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
+ if (dev_ctx == NULL) {
+ cmderr = XHCI_TRB_ERROR_PARAMETER;
+ goto done;
+ }
DPRINTF(("pci_xhci: address device, dev ctx"));
DPRINTF((" slot %08x %08x %08x %08x",
@@ -1019,6 +1046,14 @@ pci_xhci_cmd_config_ep(struct pci_xhci_softc *sc, uint32_t slot,
DPRINTF(("pci_xhci config_ep slot %u", slot));
+ if (slot == 0) {
+ cmderr = XHCI_TRB_ERROR_TRB;
+ goto done;
+ } else if (slot > XHCI_MAX_SLOTS) {
+ cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+ goto done;
+ }
+
dev = XHCI_SLOTDEV_PTR(sc, slot);
assert(dev != NULL);
@@ -1032,6 +1067,10 @@ pci_xhci_cmd_config_ep(struct pci_xhci_softc *sc, uint32_t slot,
dev->hci.hci_address = 0;
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
+ if (dev_ctx == NULL) {
+ cmderr = XHCI_TRB_ERROR_PARAMETER;
+ goto done;
+ }
/* number of contexts */
dev_ctx->ctx_slot.dwSctx0 = FIELD_REPLACE(
@@ -1138,11 +1177,19 @@ pci_xhci_cmd_reset_ep(struct pci_xhci_softc *sc, uint32_t slot,
cmderr = XHCI_TRB_ERROR_SUCCESS;
- type = XHCI_TRB_3_TYPE_GET(trb->dwTrb3);
+ if (slot == 0) {
+ cmderr = XHCI_TRB_ERROR_TRB;
+ goto done;
+ } else if (slot > XHCI_MAX_SLOTS) {
+ cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+ goto done;
+ }
dev = XHCI_SLOTDEV_PTR(sc, slot);
assert(dev != NULL);
+ type = XHCI_TRB_3_TYPE_GET(trb->dwTrb3);
+
if (type == XHCI_TRB_TYPE_STOP_EP &&
(trb->dwTrb3 & XHCI_TRB_3_SUSP_EP_BIT) != 0) {
/* XXX suspend endpoint for 10ms */
@@ -1227,6 +1274,14 @@ pci_xhci_cmd_set_tr(struct pci_xhci_softc *sc, uint32_t slot,
cmderr = XHCI_TRB_ERROR_SUCCESS;
+ if (slot == 0) {
+ cmderr = XHCI_TRB_ERROR_TRB;
+ goto done;
+ } else if (slot > XHCI_MAX_SLOTS) {
+ cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+ goto done;
+ }
+
dev = XHCI_SLOTDEV_PTR(sc, slot);
assert(dev != NULL);
@@ -1325,8 +1380,20 @@ pci_xhci_cmd_eval_ctx(struct pci_xhci_softc *sc, uint32_t slot,
goto done;
}
+ if (slot == 0) {
+ cmderr = XHCI_TRB_ERROR_TRB;
+ goto done;
+ } else if (slot > XHCI_MAX_SLOTS) {
+ cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
+ goto done;
+ }
+
/* assign address to slot; in this emulation, slot_id = address */
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
+ if (dev_ctx == NULL) {
+ cmderr = XHCI_TRB_ERROR_PARAMETER;
+ goto done;
+ }
DPRINTF(("pci_xhci: eval ctx, dev ctx"));
DPRINTF((" slot %08x %08x %08x %08x",
@@ -1555,8 +1622,9 @@ pci_xhci_xfer_complete(struct pci_xhci_softc *sc, struct usb_data_xfer *xfer,
dev = XHCI_SLOTDEV_PTR(sc, slot);
devep = &dev->eps[epid];
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
-
- assert(dev_ctx != NULL);
+ if (dev_ctx == NULL) {
+ return XHCI_TRB_ERROR_PARAMETER;
+ }
ep_ctx = &dev_ctx->ctx_ep[epid];