Project

General

Profile

Actions

Bug #14717

open

bhyve nvme: Fix out-of-bound IOV array access

Added by Andy Fiddaman 2 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
bhyve
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

From https://reviews.freebsd.org/D35328

NVMe operations indicate the memory region(s) associated with a command
via physical region pages (PRPs). Since each PRP has a fixed size,
contiguous memory regions larger than the PRP size require multiple PRP
entries.

Instead of issuing a blockif call for each PRP, the NVMe emulation
concatenates multiple contiguous PRP entries into a single blockif
request. The test for contiguous regions has a bug such that it
mistakenly treats an initial address of zero as a contiguous range and
concatenates it with the previous. But because there is no previous IOV,
the concatenation code corrupts the IO request structure and leads to a
segmentation fault when the blockif request completes.

Fix is to test for the existence of a previous range before trying to
concatenate the current range with the previous one.

No data to display

Actions

Also available in: Atom PDF