[Bug 264177] bhyve: Guest can cause a crash in bhyve nvme emulation

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 13 Aug 2022 19:19:40 UTC

--- Comment #5 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:


commit 88951aaaee73b87121b0f121224fe188a5b5e6e3
Author:     Chuck Tuffli <chuck@FreeBSD.org>
AuthorDate: 2022-06-09 18:19:32 +0000
Commit:     Chuck Tuffli <chuck@FreeBSD.org>
CommitDate: 2022-08-13 19:16:02 +0000

    bhyve nvme: Fix out-of-bound IOV array access

    NVMe operations indicate the memory region(s) associated with a command
    via physical region pages (PRPs). Since each PRP has a fixed size,
    contiguous memory regions larger than the PRP size require multiple PRP

    Instead of issuing a blockif call for each PRP, the NVMe emulation
    concatenates multiple contiguous PRP entries into a single blockif
    request. The test for contiguous regions has a bug such that it
    mistakenly treats an initial PRP address of zero as a contiguous range
    and concatenates it with the previous. But because there is no previous
    IOV, the concatenation code corrupts the IO request structure and leads
    to a segmentation fault when the blockif request completes.

    Fix is to test for the existence of a previous range before trying to
    concatenate the current range with the previous one.

    While in the area, rename pci_nvme_append_iov_req()'s lba parameter to
    offset to match its usage.

    PR:             264177
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    jhb
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D35328

 usr.sbin/bhyve/pci_nvme.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

You are receiving this mail because:
You are on the CC list for the bug.