svn commit: r350244 - head/usr.sbin/bhyve

Ed Maste emaste at FreeBSD.org
Tue Jul 23 16:27:37 UTC 2019 

Author: emaste
Date: Tue Jul 23 16:27:36 2019
New Revision: 350244
URL: https://svnweb.freebsd.org/changeset/base/350244

Log:
  bhyve: correct out-of-bounds read in XHCI device emulation
  
  Add appropriate bounds checks on the epid and streamid fields in the
  device doorbell registers.
  
  admbugs:	919
  Submitted by:	jhb
  Reported by:	Reno Robert <renorobert at gmail.com>
  Reviewed by:	markj
  Approved by:	so
  Security:	out-of-bounds read

Modified:
  head/usr.sbin/bhyve/pci_xhci.c

Modified: head/usr.sbin/bhyve/pci_xhci.c
==============================================================================
--- head/usr.sbin/bhyve/pci_xhci.c	Tue Jul 23 16:11:38 2019	(r350243)
+++ head/usr.sbin/bhyve/pci_xhci.c	Tue Jul 23 16:27:36 2019	(r350244)
@@ -1900,6 +1900,11 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 		return;
 	}
 
+	if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) {
+		DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid));
+		return;
+	}
+
 	dev = XHCI_SLOTDEV_PTR(sc, slot);
 	devep = &dev->eps[epid];
 	dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
@@ -1925,6 +1930,23 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 
 	/* get next trb work item */
 	if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) {
+		struct xhci_stream_ctx *sctx;
+
+		/*
+		 * Stream IDs of 0, 65535 (any stream), and 65534
+		 * (prime) are invalid.
+		 */
+		if (streamid == 0 || streamid == 65534 || streamid == 65535) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
+
+		sctx = NULL;
+		pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx);
+		if (sctx == NULL) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
 		sctx_tr = &devep->ep_sctx_trbs[streamid];
 		ringaddr = sctx_tr->ringaddr;
 		ccs = sctx_tr->ccs;
@@ -1933,6 +1955,10 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui
 		        streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT,
 		        trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT));
 	} else {
+		if (streamid != 0) {
+			DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+			return;
+		}
 		ringaddr = devep->ep_ringaddr;
 		ccs = devep->ep_ccs;
 		trb = devep->ep_tr;

More information about the svn-src-all mailing list