Page MenuHomeFreeBSD
Differential D35452

bhyve nvme: Check return value of mapped memory
ClosedPublic
Actions

Authored by chuck on Jun 10 2022, 8:57 PM.
Tags
None
Referenced Files
F116124447: D35452.diff
Fri, May 2, 6:50 PM
Unknown Object (File)
Thu, May 1, 10:35 AM
Unknown Object (File)
Sun, Apr 27, 7:31 AM
Unknown Object (File)
Mon, Apr 21, 5:17 AM
Unknown Object (File)
Mon, Apr 21, 3:26 AM
Unknown Object (File)
Mon, Apr 21, 1:14 AM
Unknown Object (File)
Sun, Apr 20, 11:20 PM
Unknown Object (File)
Sun, Apr 20, 11:20 PM
View All 76 Files
Subscribers
bcran
dab
rgrimes

Details

Reviewers
grehan
jhb
imp
Group Reviewers
bhyve
Commits
rG3d3678627c31: bhyve nvme: Check return value of mapped memory
Summary

Fuzzing of bhyve using hyfuzz discovered a way to cause a segmentation
fault in the NVMe emulation. If a guest specifies a physical address in
either the PRP1 or PRP2 field of a command that cannot be mapped from
guest to host, the function paddr_guest2host() returns a NULL pointer.
The NVMe emulation did not check for this error case, which allowed for
the segmentation fault to occur.

Fix is to check for a return value of NULL and indicate an error back to
the guest (Data Transfer error). While in the area, slightly refactor
the write/read blockif function to use a common error exit path.

PR: 256321
Reported by: Cheolwoo Myung <cwmyung@snu.ac.kr>

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 45936
Build 42824: arc lint + arc unit

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
21 lines

Diff 106830

View Options

usr.sbin/bhyve/pci_nvme.c

Loading...