upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

bhyve: fix off by one error in pci_xhci

Browse source 
The function pci_xhci_find_stream validates that the streamid is valid
but the bound check accepts up to ep_MaxPStreams included.

The bug results in an out-of-bounds write on the heap with controlled
data.

Reported by:	Synacktiv
Reviewed by:	jhb
Security:	FreeBSD-SA-24:12.bhyve
Security:	CVE-2024-32668
Security:	HYP-04
Sponsored by:	The Alpha-Omega Project
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D45994

(cherry picked from commit 5c9308a4130858598c76f3ae6e3e3dfb41ccfe68)
(cherry picked from commit 90af1336ed)

Approved by:	so
This commit is contained in:
Pierre Pronchery 2024-09-04 14:38:11 +00:00 committed by Franco Fichtner
parent de345142ae
commit d2c16932bc
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
usr.sbin/bhyve/pci_xhci.c
View file

@ -660,7 +660,7 @@ pci_xhci_init_ep(struct pci_xhci_dev_emu *dev, int epid)
devep = &dev->eps[epid];
pstreams = XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0);
if (pstreams > 0) {
DPRINTF(("init_ep %d with pstreams %d", epid, pstreams));
DPRINTF(("init_ep %d with pstreams %u", epid, pstreams));
assert(devep->ep_sctx_trbs == NULL);
devep->ep_sctx = XHCI_GADDR(dev->xsc, ep_ctx->qwEpCtx2 &
@ -1202,7 +1202,7 @@ pci_xhci_find_stream(struct pci_xhci_softc *sc, struct xhci_endp_ctx *ep,
}
/* only support primary stream */
if (streamid > devep->ep_MaxPStreams)
if (streamid >= devep->ep_MaxPStreams)
return (XHCI_TRB_ERROR_STREAM_TYPE);
sctx = (struct xhci_stream_ctx *)XHCI_GADDR(sc, ep->qwEpCtx2 & ~0xFUL) +