HomeFreeBSD
Diffusion FreeBSD src repository 5d07a7e902fa

bhyve/nvme: Fix Infinite loop in queue processing
5d07a7e902fa
Actions

Description

bhyve/nvme: Fix Infinite loop in queue processing

In the functions pci_nvme_handle_admin_cmd and pci_nvme_handle_io_cmd
infinite loops are possible in the bhyve process if the sq->tail value
is greater than sq->size.

An attacker could overload the host CPU.

Fix is to validate that doorbell values:

  • Are for a valid (i.e., created) queue
  • Are not the same as the previous value
  • Fit within the available capacity

The emulation will generate an Asynchronous Event Notification (Invalid
Doorbell or Invalid Doorbell Value) if enabled and ignore the doorbell
update.

While in the neighborhood, remove a redundant bounds check.

Reported by: Synacktiv
MFC after: 1 week
Security: HYP-14
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46064

(cherry picked from commit 5374b9e146811757540e35553a7712c5b9b29239)
(cherry picked from commit 86ba5941b132c73476a2a1b76ae53902a027b81c)
(cherry picked from commit df1a36fdfae603ce298b8396ae3388d337c3c5b3)

Details

Provenance
chuckAuthored on Sun, Oct 13, 1:58 PM
emasteCommitted on Tue, Oct 29, 6:49 PM
Differential Revision
Restricted Differential Revision
Parents
rGcfcbeed4c7d5: bhyve: improve bounds checks in hda_codec
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
usr.sbin/
bhyve/

rG5d07a7e902fa

View Options

usr.sbin/bhyve/pci_nvme.c

Loading...