bhyve nvme: Check return value of mapped memory

Fuzzing of bhyve using hyfuzz discovered a way to cause a segmentation fault in the NVMe emulation. If a guest specifies a physical address in either the PRP1 or PRP2 field of a command that cannot be mapped from guest to host, the function paddr_guest2host() returns a NULL pointer. The NVMe emulation did not check for this error case, which allowed for the segmentation fault to occur. Fix is to check for a return value of NULL and indicate an error back to the guest (Data Transfer error). While in the area, slightly refactor the write/read blockif function to use a common error exit path. PR: 256321 Reported by: Cheolwoo Myung <cwmyung@snu.ac.kr> Reviewed by: imp, jhb Differential Revision: https://reviews.freebsd.org/D35452
2022-08-14 07:45:21 -07:00 · 2022-08-14 07:45:21 -07:00 · 3d3678627c
commit 3d3678627c
parent 8b55a4718c
1 changed files with 13 additions and 8 deletions
--- a/usr.sbin/bhyve/pci_nvme.c
+++ b/usr.sbin/bhyve/pci_nvme.c
@ -2196,6 +2196,8 @@ pci_nvme_append_iov_req(struct pci_nvme_softc *sc, struct pci_nvme_ioreq *req,
 		req->io_req.br_iov[iovidx].iov_base =
 		    paddr_guest2host(req->sc->nsc_pi->pi_vmctx,
 				     req->prev_gpaddr, size);
+		if (req->io_req.br_iov[iovidx].iov_base == NULL)
+			return (-1);

 		req->prev_size += size;
 		req->io_req.br_resid += size;
@ -2212,6 +2214,8 @@ pci_nvme_append_iov_req(struct pci_nvme_softc *sc, struct pci_nvme_ioreq *req,
 		req->io_req.br_iov[iovidx].iov_base =
 		    paddr_guest2host(req->sc->nsc_pi->pi_vmctx,
 				     gpaddr, size);
+		if (req->io_req.br_iov[iovidx].iov_base == NULL)
+			return (-1);

 		req->io_req.br_iov[iovidx].iov_len = size;

@ -2402,8 +2406,7 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc,
 	size = MIN(PAGE_SIZE - (prp1 % PAGE_SIZE), bytes);
 	if (pci_nvme_append_iov_req(sc, req, prp1,
 	    size, is_write, offset)) {
-		pci_nvme_status_genc(&status,
-		    NVME_SC_DATA_TRANSFER_ERROR);
+		err = -1;
 		goto out;
 	}

@ -2416,8 +2419,7 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc,
 		size = bytes;
 		if (pci_nvme_append_iov_req(sc, req, prp2,
 		    size, is_write, offset)) {
-			pci_nvme_status_genc(&status,
-			    NVME_SC_DATA_TRANSFER_ERROR);
+			err = -1;
 			goto out;
 		}
 	} else {
@ -2433,6 +2435,10 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc,

 				prp_list = paddr_guest2host(vmctx, prp,
 				    PAGE_SIZE - (prp % PAGE_SIZE));
+				if (prp_list == NULL) {
+					err = -1;
+					goto out;
+				}
 				last = prp_list + (NVME_PRP2_ITEMS - 1);
 			}

@ -2440,8 +2446,7 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc,

 			if (pci_nvme_append_iov_req(sc, req, *prp_list,
 			    size, is_write, offset)) {
-				pci_nvme_status_genc(&status,
-				    NVME_SC_DATA_TRANSFER_ERROR);
+				err = -1;
 				goto out;
 			}

@ -2456,10 +2461,10 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc,
 		err = blockif_write(nvstore->ctx, &req->io_req);
 	else
 		err = blockif_read(nvstore->ctx, &req->io_req);
-
+out:
 	if (err)
 		pci_nvme_status_genc(&status, NVME_SC_DATA_TRANSFER_ERROR);
-out:
+
 	return (status);
 }