[Bug 264177] guest can cause a crash in bhyve nvme emulation

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 23 May 2022 15:10:14 UTC

            Bug ID: 264177
           Summary: guest can cause a crash in bhyve nvme emulation
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bhyve
          Assignee: virtualization@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

In bhyve's pci_nvme_append_iov_req(), if the guest provides a zero
prp1 (i.e. gpaddr) for an I/O operation, then this code runs:

        if ((req->prev_gpaddr + req->prev_size) == gpaddr) {
                iovidx = req->io_req.br_iovcnt - 1;
                req->prev_size += size;
                req->io_req.br_iov[iovidx].iov_len = req->prev_size;

prev_gpaddr, prev_size, and br_iovcnt are all ordinarily zero at this
point. So iovidx = -1, and the assignment to br_iov[iovidx].iov_len
actually overwrites io_req.br_param. This later causes a bad pointer
dereference in pci_nvme_io_done():

        struct pci_nvme_ioreq *req = br->br_param;
        struct nvme_submission_queue *sq = req->nvme_sq;

You can see this happen if you boot a FreeBSD guest kernel in bhyve
with an nvme device, after modifying the guest kernel's
nvme_payload_map() in /sys/dev/nvme/nvme_qpair.c to set
tr->req->cmd.prp1 to zero when it is called for the third time.

You are receiving this mail because:
You are the assignee for the bug.