svn commit: r362758 - head/usr.sbin/bhyve

[Chuck Tuffli]

Author: chuck
Date: Mon Jun 29 00:31:58 2020
New Revision: 362758
URL: https://svnweb.freebsd.org/changeset/base/362758

Log:
  bhyve: validate NVMe deallocate range values
  
  For NVMe emulation, validate the Data Set Management LBA ranges do not
  exceed the capacity of the backing storage. If they do, return an "LBA
  Out of Range" error.
  
  Fixes UNH Test 2.2.3
  
  Tested by:	Jason Tubnor
  MFC after:	2 weeks
  Differential Revision: https://reviews.freebsd.org/D24893

Modified:
  head/usr.sbin/bhyve/pci_nvme.c

Modified: head/usr.sbin/bhyve/pci_nvme.c
==============================================================================
--- head/usr.sbin/bhyve/pci_nvme.c	Mon Jun 29 00:31:54 2020	(r362757)
+++ head/usr.sbin/bhyve/pci_nvme.c	Mon Jun 29 00:31:58 2020	(r362758)
@@ -1877,6 +1877,11 @@ nvme_opc_dataset_mgmt(struct pci_nvme_softc *sc,
 		nvme_prp_memcpy(sc->nsc_pi->pi_vmctx, cmd->prp1, cmd->prp2,
 		    (uint8_t *)range, NVME_MAX_DSM_TRIM, NVME_COPY_FROM_PRP);
 
+		if ((range[0].starting_lba * sectsz) > nvstore->size) {
+			pci_nvme_status_genc(status, NVME_SC_LBA_OUT_OF_RANGE);
+			goto out;
+		}
+
 		/*
 		 * If the request is for more than a single range, store
 		 * the ranges in the br_iov. Optimize for the common case
@@ -1896,6 +1901,10 @@ nvme_opc_dataset_mgmt(struct pci_nvme_softc *sc,
 			struct iovec *iov = req->io_req.br_iov;
 
 			for (r = 0; r <= nr; r++) {
+				if ((range[r].starting_lba * sectsz) > nvstore->size) {
+					pci_nvme_status_genc(status, NVME_SC_LBA_OUT_OF_RANGE);
+					goto out;
+				}
 				iov[r].iov_base = (void *)(range[r].starting_lba * sectsz);
 				iov[r].iov_len = range[r].length * sectsz;
 			}