Actions
Bug #14717
open
bhyve nvme: Fix out-of-bound IOV array access
Start date:
Due date:
% Done:
0%
Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
Description
From https://reviews.freebsd.org/D35328
NVMe operations indicate the memory region(s) associated with a command via physical region pages (PRPs). Since each PRP has a fixed size, contiguous memory regions larger than the PRP size require multiple PRP entries. Instead of issuing a blockif call for each PRP, the NVMe emulation concatenates multiple contiguous PRP entries into a single blockif request. The test for contiguous regions has a bug such that it mistakenly treats an initial address of zero as a contiguous range and concatenates it with the previous. But because there is no previous IOV, the concatenation code corrupts the IO request structure and leads to a segmentation fault when the blockif request completes. Fix is to test for the existence of a previous range before trying to concatenate the current range with the previous one.
No data to display
Actions