Fix several iov handling bugs in bhyve virtio-scsi backend.

 - buf_to_iov() does not use buflen parameter, allowing out of bound read.
 - buf_to_iov() leaks memory if seek argument > 0.
 - iov_to_buf() doesn't need to reallocate buffer for every segment.
 - there is no point to use size_t for iov counts, int is more then enough.
 - some iov function arguments can be constified.
 - pci_vtscsi_request_handle() used truncate_iov() incorrectly, allowing
   getting out of buffer and possibly corrupting data.
 - pci_vtscsi_controlq_notify() written returned status at wrong offset.
 - pci_vtscsi_controlq_notify() leaked one buffer per event.

Reported by:	wg
Reviewed by:	araujo
MFC after:	1 week
Sponsored by:	iXsystems, Inc.
Differential Revision:	https://reviews.freebsd.org/D18465

1 files changed, 32 insertions, 25 deletions

diff --git a/usr.sbin/bhyve/iov.c b/usr.sbin/bhyve/iov.c
index c564bd8ae50f..54ea22aa9498 100644
--- a/usr.sbin/bhyve/iov.c
+++ b/usr.sbin/bhyve/iov.c
@@ -2,6 +2,7 @@
  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
  *
  * Copyright (c) 2016 Jakub Klama <jceel@FreeBSD.org>.
+ * Copyright (c) 2018 Alexander Motin <mav@FreeBSD.org>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39,12 +40,12 @@ __FBSDID("$FreeBSD$");
 #include "iov.h"
 
 void
-seek_iov(struct iovec *iov1, size_t niov1, struct iovec *iov2, size_t *niov2,
+seek_iov(const struct iovec *iov1, int niov1, struct iovec *iov2, int *niov2,
     size_t seek)
 {
 	size_t remainder = 0;
 	size_t left = seek;
-	size_t i, j;
+	int i, j;
 
 	for (i = 0; i < niov1; i++) {
 		size_t toseek = MIN(left, iov1[i].iov_len);
@@ -69,9 +70,10 @@ seek_iov(struct iovec *iov1, size_t niov1, struct iovec *iov2, size_t *niov2,
 }
 
 size_t
-count_iov(struct iovec *iov, size_t niov)
+count_iov(const struct iovec *iov, int niov)
 {
-	size_t i, total = 0;
+	size_t total = 0;
+	int i;
 
 	for (i = 0; i < niov; i++)
 		total += iov[i].iov_len;
@@ -79,35 +81,36 @@ count_iov(struct iovec *iov, size_t niov)
 	return (total);
 }
 
-size_t
-truncate_iov(struct iovec *iov, size_t niov, size_t length)
+void
+truncate_iov(struct iovec *iov, int *niov, size_t length)
 {
-	size_t i, done = 0;
+	size_t done = 0;
+	int i;
 
-	for (i = 0; i < niov; i++) {
+	for (i = 0; i < *niov; i++) {
 		size_t toseek = MIN(length - done, iov[i].iov_len);
 		done += toseek;
 
-		if (toseek < iov[i].iov_len) {
+		if (toseek <= iov[i].iov_len) {
 			iov[i].iov_len = toseek;
-			return (i + 1);
+			*niov = i + 1;
+			return;
 		}
 	}
-
-	return (niov);
 }
 
 ssize_t
-iov_to_buf(struct iovec *iov, size_t niov, void **buf)
+iov_to_buf(const struct iovec *iov, int niov, void **buf)
 {
-	size_t i, ptr = 0, total = 0;
+	size_t ptr, total;
+	int i;
 
-	for (i = 0; i < niov; i++) {
-		total += iov[i].iov_len;
-		*buf = realloc(*buf, total);
-		if (*buf == NULL)
-			return (-1);
+	total = count_iov(iov, niov);
+	*buf = realloc(*buf, total);
+	if (*buf == NULL)
+		return (-1);
 
+	for (i = 0, ptr = 0; i < niov; i++) {
 		memcpy(*buf + ptr, iov[i].iov_base, iov[i].iov_len);
 		ptr += iov[i].iov_len;
 	}
@@ -116,12 +119,12 @@ iov_to_buf(struct iovec *iov, size_t niov, void **buf)
 }
 
 ssize_t
-buf_to_iov(void *buf, size_t buflen, struct iovec *iov, size_t niov,
+buf_to_iov(const void *buf, size_t buflen, struct iovec *iov, int niov,
     size_t seek)
 {
 	struct iovec *diov;
-	size_t ndiov, i;
-	uintptr_t off = 0;
+	int ndiov, i;
+	size_t off = 0, len;
 
 	if (seek > 0) {
 		diov = malloc(sizeof(struct iovec) * niov);
@@ -131,11 +134,15 @@ buf_to_iov(void *buf, size_t buflen, struct iovec *iov, size_t niov,
 		ndiov = niov;
 	}
 
-	for (i = 0; i < ndiov; i++) {
-		memcpy(diov[i].iov_base, buf + off, diov[i].iov_len);
-		off += diov[i].iov_len;
+	for (i = 0; i < ndiov && off < buflen; i++) {
+		len = MIN(diov[i].iov_len, buflen - off);
+		memcpy(diov[i].iov_base, buf + off, len);
+		off += len;
 	}
 
+	if (seek > 0)
+		free(diov);
+
 	return ((ssize_t)off);
 }