K 10
svn:author
V 3
jhb
K 8
svn:date
V 27
2022-08-25T17:33:42.371909Z
K 7
svn:log
V 1232
bhyve xhci: Cache the value of MaxPStreams when initializing an endpoint.

This avoids type confusion where a malicious guest could rewrite the
MaxPStreams field in an endpoint context after the endpoint was
initialized causing the device model to interpret a guest provided
address (stored in ep_ringaddr of the "software" endpoint state) as a
bhyve host process address (ep_sctx_trbs).  It also prevents a malicious
guest from triggering overflows of ep_sctx_trbs[] by increasing the
number of streams after the endpoint has been initialized.

Rather than re-reading the MaxPStreams value out of the endpoint context
in guest memory on subsequent operations, cache the value in the software
endpoint state.  Possibly the device model should raise errors if the
value of MaxPStreams changes while an endpoint is running.  This approach
simply ignores any such changes by the guest.

PR:		264294, 264347
Reported by:	Robert Morris <rtm@lcs.mit.edu>
Reviewed by:	markj
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D36181

(cherry picked from commit e7439f6aeb235ba3a7e79818c56a63d066c80854)

Git Hash:   920489d03cedbe232c843f36fa5f2d954a5aae15
Git Author: jhb@FreeBSD.org
END