talexander
/
freebsd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bhyve: improve input validation in pci_xhci 

Several functions did not validate the slot index resulting in OOB read
on the heap of the slot device structure which could lead to arbitrary
reads/writes and potentially code execution.

Reported by:	Synacktiv
Reviewed by:	markj (earlier), jhb
Security:	CVE-2024-41721
Security:	HYP-02
Sponsored by:	The Alpha-Omega Project
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D45996
This commit is contained in:
Pierre Pronchery 2024-07-17 17:04:23 +02:00 committed by Ed Maste
parent 5d045d556b
commit e72d86ad9c
1 changed files with 73 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
usr.sbin/bhyve/pci_xhci.c
View File

@ -580,7 +580,7 @@ pci_xhci_get_dev_ctx(struct pci_xhci_softc *sc, uint32_t slot)
uint64_t devctx_addr;
struct xhci_dev_ctx *devctx;
assert(slot > 0 && slot <= XHCI_MAX_DEVS);
assert(slot > 0 && slot <= XHCI_MAX_SLOTS);
assert(XHCI_SLOTDEV_PTR(sc, slot) != NULL);
assert(sc->opregs.dcbaa_p != NULL);
@ -853,7 +853,10 @@ pci_xhci_cmd_disable_slot(struct pci_xhci_softc *sc, uint32_t slot)
if (sc->portregs == NULL)
goto done;
if (slot > XHCI_MAX_SLOTS) {
if (slot == 0) {
cmderr = XHCI_TRB_ERROR_TRB;
goto done;
} else if (slot > XHCI_MAX_SLOTS) {
cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
goto done;
}
@ -889,6 +892,14 @@ pci_xhci_cmd_reset_device(struct pci_xhci_softc *sc, uint32_t slot)
DPRINTF(("pci_xhci reset device slot %u", slot));
if (slot == 0) {
cmderr = XHCI_TRB_ERROR_TRB;
goto done;
} else if (slot > XHCI_MAX_SLOTS) {
cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
goto done;
}
dev = XHCI_SLOTDEV_PTR(sc, slot);
if (!dev || dev->dev_slotstate == XHCI_ST_DISABLED)
cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
@ -897,6 +908,10 @@ pci_xhci_cmd_reset_device(struct pci_xhci_softc *sc, uint32_t slot)
dev->hci.hci_address = 0;
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
if (dev_ctx == NULL) {
cmderr = XHCI_TRB_ERROR_PARAMETER;
goto done;
}
/* slot state */
dev_ctx->ctx_slot.dwSctx3 = FIELD_REPLACE(
@ -957,8 +972,20 @@ pci_xhci_cmd_address_device(struct pci_xhci_softc *sc, uint32_t slot,
goto done;
}
if (slot == 0) {
cmderr = XHCI_TRB_ERROR_TRB;
goto done;
} else if (slot > XHCI_MAX_SLOTS) {
cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
goto done;
}
/* assign address to slot */
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
if (dev_ctx == NULL) {
cmderr = XHCI_TRB_ERROR_PARAMETER;
goto done;
}
DPRINTF(("pci_xhci: address device, dev ctx"));
DPRINTF((" slot %08x %08x %08x %08x",
@ -1019,6 +1046,14 @@ pci_xhci_cmd_config_ep(struct pci_xhci_softc *sc, uint32_t slot,
DPRINTF(("pci_xhci config_ep slot %u", slot));
if (slot == 0) {
cmderr = XHCI_TRB_ERROR_TRB;
goto done;
} else if (slot > XHCI_MAX_SLOTS) {
cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
goto done;
}
dev = XHCI_SLOTDEV_PTR(sc, slot);
assert(dev != NULL);
@ -1032,6 +1067,10 @@ pci_xhci_cmd_config_ep(struct pci_xhci_softc *sc, uint32_t slot,
dev->hci.hci_address = 0;
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
if (dev_ctx == NULL) {
cmderr = XHCI_TRB_ERROR_PARAMETER;
goto done;
}
/* number of contexts */
dev_ctx->ctx_slot.dwSctx0 = FIELD_REPLACE(
@ -1138,11 +1177,19 @@ pci_xhci_cmd_reset_ep(struct pci_xhci_softc *sc, uint32_t slot,
cmderr = XHCI_TRB_ERROR_SUCCESS;
type = XHCI_TRB_3_TYPE_GET(trb->dwTrb3);
if (slot == 0) {
cmderr = XHCI_TRB_ERROR_TRB;
goto done;
} else if (slot > XHCI_MAX_SLOTS) {
cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
goto done;
}
dev = XHCI_SLOTDEV_PTR(sc, slot);
assert(dev != NULL);
type = XHCI_TRB_3_TYPE_GET(trb->dwTrb3);
if (type == XHCI_TRB_TYPE_STOP_EP &&
(trb->dwTrb3 & XHCI_TRB_3_SUSP_EP_BIT) != 0) {
/* XXX suspend endpoint for 10ms */
@ -1227,6 +1274,14 @@ pci_xhci_cmd_set_tr(struct pci_xhci_softc *sc, uint32_t slot,
cmderr = XHCI_TRB_ERROR_SUCCESS;
if (slot == 0) {
cmderr = XHCI_TRB_ERROR_TRB;
goto done;
} else if (slot > XHCI_MAX_SLOTS) {
cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
goto done;
}
dev = XHCI_SLOTDEV_PTR(sc, slot);
assert(dev != NULL);
@ -1325,8 +1380,20 @@ pci_xhci_cmd_eval_ctx(struct pci_xhci_softc *sc, uint32_t slot,
goto done;
}
if (slot == 0) {
cmderr = XHCI_TRB_ERROR_TRB;
goto done;
} else if (slot > XHCI_MAX_SLOTS) {
cmderr = XHCI_TRB_ERROR_SLOT_NOT_ON;
goto done;
}
/* assign address to slot; in this emulation, slot_id = address */
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
if (dev_ctx == NULL) {
cmderr = XHCI_TRB_ERROR_PARAMETER;
goto done;
}
DPRINTF(("pci_xhci: eval ctx, dev ctx"));
DPRINTF((" slot %08x %08x %08x %08x",
@ -1555,8 +1622,9 @@ pci_xhci_xfer_complete(struct pci_xhci_softc *sc, struct usb_data_xfer *xfer,
dev = XHCI_SLOTDEV_PTR(sc, slot);
devep = &dev->eps[epid];
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
assert(dev_ctx != NULL);
if (dev_ctx == NULL) {
return XHCI_TRB_ERROR_PARAMETER;
}
ep_ctx = &dev_ctx->ctx_ep[epid];