diff options
| author | Pierre Pronchery <pierre@freebsdfoundation.org> | 2024-07-17 15:04:23 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2024-09-19 12:26:07 +0000 |
| commit | e72d86ad9c62c8054d7977a71f08e68ef755c132 (patch) | |
| tree | 3057a20fa04a9242b8d213de630e0967e5e2ac0b /usr.sbin | |
| parent | 5d045d556b1cfeb1487d49017b536afb3df105d3 (diff) | |
| download | src-e72d86ad9c62c8054d7977a71f08e68ef755c132.tar.gz src-e72d86ad9c62c8054d7977a71f08e68ef755c132.zip | |
bhyve: improve input validation in pci_xhci
Several functions did not validate the slot index resulting in OOB read
on the heap of the slot device structure which could lead to arbitrary
reads/writes and potentially code execution.
Reported by: Synacktiv
Reviewed by: markj (earlier), jhb
Security: CVE-2024-41721
Security: HYP-02
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45996
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/bhyve/pci_xhci.c | 78 |
1 files changed, 73 insertions, 5 deletions
diff --git a/usr.sbin/bhyve/pci_xhci.c b/usr.sbin/bhyve/pci_xhci.c index b72c839c807b..2399cb4fc9b8 100644 --- a/usr.sbin/bhyve/pci_xhci.c +++ b/usr.sbin/bhyve/pci_xhci.c @@ -580,7 +580,7 @@ pci_xhci_get_dev_ctx(struct pci_xhci_softc *sc, uint32_t slot) uint64_t devctx_addr; struct xhci_dev_ctx *devctx; - assert(slot > 0 && slot <= XHCI_MAX_DEVS); + assert(slot > 0 && slot <= XHCI_MAX_SLOTS); assert(XHCI_SLOTDEV_PTR(sc, slot) != NULL); assert(sc->opregs.dcbaa_p != NULL); @@ -853,7 +853,10 @@ pci_xhci_cmd_disable_slot(struct pci_xhci_softc *sc, uint32_t slot) if (sc->portregs == NULL) goto done; - if (slot > XHCI_MAX_SLOTS) { + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; goto done; } @@ -889,6 +892,14 @@ pci_xhci_cmd_reset_device(struct pci_xhci_softc *sc, uint32_t slot) DPRINTF(("pci_xhci reset device slot %u", slot)); + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } + dev = XHCI_SLOTDEV_PTR(sc, slot); if (!dev || dev->dev_slotstate == XHCI_ST_DISABLED) cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; @@ -897,6 +908,10 @@ pci_xhci_cmd_reset_device(struct pci_xhci_softc *sc, uint32_t slot) dev->hci.hci_address = 0; dev_ctx = pci_xhci_get_dev_ctx(sc, slot); + if (dev_ctx == NULL) { + cmderr = XHCI_TRB_ERROR_PARAMETER; + goto done; + } /* slot state */ dev_ctx->ctx_slot.dwSctx3 = FIELD_REPLACE( @@ -957,8 +972,20 @@ pci_xhci_cmd_address_device(struct pci_xhci_softc *sc, uint32_t slot, goto done; } + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } + /* assign address to slot */ dev_ctx = pci_xhci_get_dev_ctx(sc, slot); + if (dev_ctx == NULL) { + cmderr = XHCI_TRB_ERROR_PARAMETER; + goto done; + } DPRINTF(("pci_xhci: address device, dev ctx")); DPRINTF((" slot %08x %08x %08x %08x", @@ -1019,6 +1046,14 @@ pci_xhci_cmd_config_ep(struct pci_xhci_softc *sc, uint32_t slot, DPRINTF(("pci_xhci config_ep slot %u", slot)); + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } + dev = XHCI_SLOTDEV_PTR(sc, slot); assert(dev != NULL); @@ -1032,6 +1067,10 @@ pci_xhci_cmd_config_ep(struct pci_xhci_softc *sc, uint32_t slot, dev->hci.hci_address = 0; dev_ctx = pci_xhci_get_dev_ctx(sc, slot); + if (dev_ctx == NULL) { + cmderr = XHCI_TRB_ERROR_PARAMETER; + goto done; + } /* number of contexts */ dev_ctx->ctx_slot.dwSctx0 = FIELD_REPLACE( @@ -1138,11 +1177,19 @@ pci_xhci_cmd_reset_ep(struct pci_xhci_softc *sc, uint32_t slot, cmderr = XHCI_TRB_ERROR_SUCCESS; - type = XHCI_TRB_3_TYPE_GET(trb->dwTrb3); + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } dev = XHCI_SLOTDEV_PTR(sc, slot); assert(dev != NULL); + type = XHCI_TRB_3_TYPE_GET(trb->dwTrb3); + if (type == XHCI_TRB_TYPE_STOP_EP && (trb->dwTrb3 & XHCI_TRB_3_SUSP_EP_BIT) != 0) { /* XXX suspend endpoint for 10ms */ @@ -1227,6 +1274,14 @@ pci_xhci_cmd_set_tr(struct pci_xhci_softc *sc, uint32_t slot, cmderr = XHCI_TRB_ERROR_SUCCESS; + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } + dev = XHCI_SLOTDEV_PTR(sc, slot); assert(dev != NULL); @@ -1325,8 +1380,20 @@ pci_xhci_cmd_eval_ctx(struct pci_xhci_softc *sc, uint32_t slot, goto done; } + if (slot == 0) { + cmderr = XHCI_TRB_ERROR_TRB; + goto done; + } else if (slot > XHCI_MAX_SLOTS) { + cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON; + goto done; + } + /* assign address to slot; in this emulation, slot_id = address */ dev_ctx = pci_xhci_get_dev_ctx(sc, slot); + if (dev_ctx == NULL) { + cmderr = XHCI_TRB_ERROR_PARAMETER; + goto done; + } DPRINTF(("pci_xhci: eval ctx, dev ctx")); DPRINTF((" slot %08x %08x %08x %08x", @@ -1555,8 +1622,9 @@ pci_xhci_xfer_complete(struct pci_xhci_softc *sc, struct usb_data_xfer *xfer, dev = XHCI_SLOTDEV_PTR(sc, slot); devep = &dev->eps[epid]; dev_ctx = pci_xhci_get_dev_ctx(sc, slot); - - assert(dev_ctx != NULL); + if (dev_ctx == NULL) { + return XHCI_TRB_ERROR_PARAMETER; + } ep_ctx = &dev_ctx->ctx_ep[epid]; |