bhyve: Initialize stack buffer in pci_ahci
In the function ahci_handle_dsm_trim, if the call to read_prdt fails, the variable buf[512] is used while it contains uninitialized data. It is easy to make the call to read_prdt fail, for instance if hdr->prdtl == NULL, the function will return without writing anything in buf. In addition, this code could be hardened by checking the value of done before accessing &buf[done]. Reported by: Synacktiv Reviewed by: markj Security: HYP-15 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46090
This commit is contained in:
committed by
Ed Maste
parent
a3d5dec420
commit
71fa171c64
@@ -781,7 +781,7 @@ ahci_handle_flush(struct ahci_port *p, int slot, uint8_t *cfis)
|
||||
assert(err == 0);
|
||||
}
|
||||
|
||||
static inline void
|
||||
static inline unsigned int
|
||||
read_prdt(struct ahci_port *p, int slot, uint8_t *cfis, void *buf,
|
||||
unsigned int size)
|
||||
{
|
||||
@@ -808,6 +808,7 @@ read_prdt(struct ahci_port *p, int slot, uint8_t *cfis, void *buf,
|
||||
to += sublen;
|
||||
prdt++;
|
||||
}
|
||||
return (size - len);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -820,6 +821,7 @@ ahci_handle_dsm_trim(struct ahci_port *p, int slot, uint8_t *cfis, uint32_t done
|
||||
uint32_t len, elen;
|
||||
int err, first, ncq;
|
||||
uint8_t buf[512];
|
||||
unsigned int written;
|
||||
|
||||
first = (done == 0);
|
||||
if (cfis[2] == ATA_DATA_SET_MANAGEMENT) {
|
||||
@@ -831,9 +833,12 @@ ahci_handle_dsm_trim(struct ahci_port *p, int slot, uint8_t *cfis, uint32_t done
|
||||
len *= 512;
|
||||
ncq = 1;
|
||||
}
|
||||
read_prdt(p, slot, cfis, buf, sizeof(buf));
|
||||
written = read_prdt(p, slot, cfis, buf, sizeof(buf));
|
||||
memset(buf + written, 0, sizeof(buf) - written);
|
||||
|
||||
next:
|
||||
if (done >= sizeof(buf) - 8)
|
||||
return;
|
||||
entry = &buf[done];
|
||||
elba = ((uint64_t)entry[5] << 40) |
|
||||
((uint64_t)entry[4] << 32) |
|
||||
|
||||
Reference in New Issue
Block a user