From ae638f2bd5fefed3eee65e960cae71c7fd1d87f5 Mon Sep 17 00:00:00 2001 From: Chuck Tuffli Date: Mon, 29 Jun 2020 00:31:58 +0000 Subject: [PATCH] bhyve: validate NVMe deallocate range values For NVMe emulation, validate the Data Set Management LBA ranges do not exceed the capacity of the backing storage. If they do, return an "LBA Out of Range" error. Fixes UNH Test 2.2.3 Tested by: Jason Tubnor MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D24893 --- usr.sbin/bhyve/pci_nvme.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/usr.sbin/bhyve/pci_nvme.c b/usr.sbin/bhyve/pci_nvme.c index bd49b0500178..db02eeb4b75a 100644 --- a/usr.sbin/bhyve/pci_nvme.c +++ b/usr.sbin/bhyve/pci_nvme.c @@ -1877,6 +1877,11 @@ nvme_opc_dataset_mgmt(struct pci_nvme_softc *sc, nvme_prp_memcpy(sc->nsc_pi->pi_vmctx, cmd->prp1, cmd->prp2, (uint8_t *)range, NVME_MAX_DSM_TRIM, NVME_COPY_FROM_PRP); + if ((range[0].starting_lba * sectsz) > nvstore->size) { + pci_nvme_status_genc(status, NVME_SC_LBA_OUT_OF_RANGE); + goto out; + } + /* * If the request is for more than a single range, store * the ranges in the br_iov. Optimize for the common case @@ -1896,6 +1901,10 @@ nvme_opc_dataset_mgmt(struct pci_nvme_softc *sc, struct iovec *iov = req->io_req.br_iov; for (r = 0; r <= nr; r++) { + if ((range[r].starting_lba * sectsz) > nvstore->size) { + pci_nvme_status_genc(status, NVME_SC_LBA_OUT_OF_RANGE); + goto out; + } iov[r].iov_base = (void *)(range[r].starting_lba * sectsz); iov[r].iov_len = range[r].length * sectsz; }