Bug 264548 - bhyve's nvme_opc_dataset_mgmt() can free() uninitialized pointer
Summary: bhyve's nvme_opc_dataset_mgmt() can free() uninitialized pointer
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bhyve (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Chuck Tuffli
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-08 14:49 UTC by Robert Morris
Modified: 2023-01-20 21:09 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2022-06-08 14:49:25 UTC 
Bhyve's nvme_opc_dataset_mgmt() can free(range) before initializing it:

        struct nvme_dsm_range *range;
        ...;
        if ((sc->ctrldata.oncs & NVME_ONCS_DSM) == 0) {
                pci_nvme_status_genc(status, NVME_SC_INVALID_OPCODE);
                goto out;
        }
        ...;
        range = calloc(1, NVME_MAX_DSM_TRIM);
        ...;
out:
        free(range);

A guest can cause this to happen by ringing the doorbell of a
submission queue with an entry with cmd->opc
NVME_OPC_DATASET_MANAGEMENT.
Comment 1 commit-hook freebsd_committer freebsd_triage 2022-08-14 15:04:54 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=7376c08cc67e65ee660d51873129e34745ef5dd4

commit 7376c08cc67e65ee660d51873129e34745ef5dd4
Author:     Chuck Tuffli <chuck@FreeBSD.org>
AuthorDate: 2022-06-09 20:05:46 +0000
Commit:     Chuck Tuffli <chuck@FreeBSD.org>
CommitDate: 2022-08-14 14:53:22 +0000

    bhyve nvme: Fix uninitialized pointer

    The Dataset Management code could free an uninitialized pointer if the
    device doesn't support the Dataset Management command.

    PR:             264548
    Reported by:    Robert Morris <rtm@lcs.mit.edu>

 usr.sbin/bhyve/pci_nvme.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-01-20 21:08:27 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c84ec3076e7de10d7475fd9694ad64603e264d88

commit c84ec3076e7de10d7475fd9694ad64603e264d88
Author:     Chuck Tuffli <chuck@FreeBSD.org>
AuthorDate: 2022-06-09 20:05:46 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-01-20 21:07:27 +0000

    bhyve nvme: Fix uninitialized pointer

    The Dataset Management code could free an uninitialized pointer if the
    device doesn't support the Dataset Management command.

    PR:             264548
    Reported by:    Robert Morris <rtm@lcs.mit.edu>

    (cherry picked from commit 7376c08cc67e65ee660d51873129e34745ef5dd4)

 usr.sbin/bhyve/pci_nvme.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-01-20 21:09:28 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=d4e643f6a51d7fb8d8523419196449faa5fa047d

commit d4e643f6a51d7fb8d8523419196449faa5fa047d
Author:     Chuck Tuffli <chuck@FreeBSD.org>
AuthorDate: 2022-06-09 20:05:46 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-01-20 21:08:28 +0000

    bhyve nvme: Fix uninitialized pointer

    The Dataset Management code could free an uninitialized pointer if the
    device doesn't support the Dataset Management command.

    PR:             264548
    Reported by:    Robert Morris <rtm@lcs.mit.edu>

    (cherry picked from commit 7376c08cc67e65ee660d51873129e34745ef5dd4)
    (cherry picked from commit c84ec3076e7de10d7475fd9694ad64603e264d88)

 usr.sbin/bhyve/pci_nvme.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)