HomeFreeBSD

bhyve/nvme: Fix Infinite loop in queue processing

Description

bhyve/nvme: Fix Infinite loop in queue processing

In the functions pci_nvme_handle_admin_cmd and pci_nvme_handle_io_cmd
infinite loops are possible in the bhyve process if the sq->tail value
is greater than sq->size.

An attacker could overload the host CPU.

Fix is to validate that doorbell values:

  • Are for a valid (i.e., created) queue
  • Are not the same as the previous value
  • Fit within the available capacity

The emulation will generate an Asynchronous Event Notification (Invalid
Doorbell or Invalid Doorbell Value) if enabled and ignore the doorbell
update.

While in the neighborhood, remove a redundant bounds check.

Reported by: Synacktiv
MFC after: 1 week
Security: HYP-14
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46064

(cherry picked from commit 5374b9e146811757540e35553a7712c5b9b29239)
(cherry picked from commit 86ba5941b132c73476a2a1b76ae53902a027b81c)

Details

Provenance
chuckAuthored on Sun, Oct 13, 1:58 PM
emasteCommitted on Sat, Oct 19, 3:43 PM
Differential Revision
Restricted Differential Revision
Parents
rG9ecbda844643: syslogd: Ignore getaddrinfo() errors if -ss is specified
Branches
Unknown
Tags
Unknown