[Bug 264548] bhyve's nvme_opc_dataset_mgmt() can free() uninitialized pointer

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264548] bhyve's nvme_opc_dataset_mgmt() can free() uninitialized pointer"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 08 Jun 2022 14:49:25 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264548

            Bug ID: 264548
           Summary: bhyve's nvme_opc_dataset_mgmt() can free()
                    uninitialized pointer
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bhyve
          Assignee: virtualization@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Bhyve's nvme_opc_dataset_mgmt() can free(range) before initializing it:

        struct nvme_dsm_range *range;
        ...;
        if ((sc->ctrldata.oncs & NVME_ONCS_DSM) == 0) {
                pci_nvme_status_genc(status, NVME_SC_INVALID_OPCODE);
                goto out;
        }
        ...;
        range = calloc(1, NVME_MAX_DSM_TRIM);
        ...;
out:
        free(range);

A guest can cause this to happen by ringing the doorbell of a
submission queue with an entry with cmd->opc
NVME_OPC_DATASET_MANAGEMENT.

-- 
You are receiving this mail because:
You are the assignee for the bug.