Changeset 104280 in vbox

Timestamp:

Apr 10, 2024 4:48:47 PM (10 months ago)

Author:

vboxsync

Message:

VirtioCore: improved chain length checks and MMIO read handling in PciIch0 and PCNet, as well as input context initialization in XHCI. bugref:10635

Location:

trunk/src/VBox/Devices

Files:

• Bus/DevPciIch9.cpp (modified) (1 diff)
• Network/DevPCNet.cpp (modified) (1 diff)
• USB/DevXHCI.cpp (modified) (2 diffs)
• VirtIO/VirtioCore.cpp (modified) (3 diffs)

trunk/src/VBox/Devices/Bus/DevPciIch9.cpp

@@ -731 +731 @@
             default:
                 ASSERT_GUEST_MSG_FAILED(("cb=%u off=%RGp\n", cb, off)); /** @todo how the heck should this work? Split it, right? */
+                rcStrict = VINF_IOM_MMIO_UNUSED_00;
                 break;
         }

trunk/src/VBox/Devices/Network/DevPCNet.cpp

@@ -3814 +3814 @@
             case 4:  rc = pcnetR3MmioReadU32(pDevIns, pThis, pThisCC, off, (uint32_t *)pv); break;
             default:
+                memset(pv, 0, cb);
                 rc = PDMDevHlpDBGFStop(pDevIns, RT_SRC_POS, "pcnetR3MmioRead: unsupported op size: address=%RGp cb=%u\n", off, cb);
+                break;
         }
         STAM_PROFILE_ADV_STOP(&pThis->CTX_SUFF_Z(StatMMIORead), a);

trunk/src/VBox/Devices/USB/DevXHCI.cpp

@@ -4564 +4564 @@
     unsigned        uDCI;
 
+    RT_ZERO(dc_inp);
+
     Assert(uSlotID);
     LogFlowFunc(("Slot ID %u, input control context @ %RGp\n", uSlotID, GCPhysInpCtx));
@@ -4645 +4647 @@
             /// @todo Check input EP contexts according to 6.2.3.2
         }
-/** @todo r=bird: Looks like MSC is right that dc_inp can be used uninitalized.
- *
- * However, this function is so hard to read I'm leaving the exorcism of it to
- * the author and just zeroing it in the mean time.
- *
- */
-        else
-            RT_ZERO(dc_inp);
-
         /* Read the output Slot Context plus all Endpoint Contexts up to and
          * including the one with the highest 'add' or 'drop' bit set.

trunk/src/VBox/Devices/VirtIO/VirtioCore.cpp

@@ -865 +865 @@
             break;
         }
+        /* Check if the limit has been reached for input chain (see section 2.4.4.1 of virtio 1.0 spec). */
+        if (cSegsIn >= RT_ELEMENTS(pVirtqBuf->aSegsIn))
+        {
+            LogRelMax(64, ("Too many input descriptors (cSegsIn=%u).\n", cSegsIn));
+            break;
+        }
+        /* Check if the limit has been reached for output chain (see section 2.4.4.1 of virtio 1.0 spec). */
+        if (cSegsOut >= RT_ELEMENTS(pVirtqBuf->aSegsOut))
+        {
+            LogRelMax(64, ("Too many output descriptors (cSegsOut=%u).\n", cSegsOut));
+            break;
+        }
         RT_UNTRUSTED_VALIDATED_FENCE();
 
@@ -1978 +1990 @@
     PVIRTIOCORE   pVirtio   = PDMINS_2_DATA(pDevIns, PVIRTIOCORE);
     PVIRTIOCORECC pVirtioCC = PDMINS_2_DATA_CC(pDevIns, PVIRTIOCORECC);
-    AssertReturn(cb == 1 || cb == 2 || cb == 4, VERR_INVALID_PARAMETER);
+    AssertReturn(cb == 1 || cb == 2 || cb == 4, VINF_IOM_MMIO_UNUSED_FF);
     Assert(pVirtio == (PVIRTIOCORE)pvUser); RT_NOREF(pvUser);
 
@@ -2000 +2012 @@
     {
         ASSERT_GUEST_MSG_FAILED(("Bad read access to mapped capabilities region: off=%RGp cb=%u\n", off, cb));
+        memset(pv, 0xFF, cb);
         rcStrict = PDMDevHlpDBGFStop(pDevIns, RT_SRC_POS,
                                      "virtioMmioRead: Bad MMIO access to capabilities, offset=%RTiop cb=%08x\n", off, cb);