CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	John Baldwin <jhb@FreeBSD.org>
	Thu, 29 Jun 2023 18:27:12 +0000 (11:27 -0700)
committer	Mark Johnston <markj@FreeBSD.org>
	Tue, 1 Aug 2023 19:45:41 +0000 (15:45 -0400)
commit	bed3ae1d7863ac1e0b1e82ae7bf952937e921efe
tree	dede617490989683eefb42d733eb1bea6b60bf94	tree \| snapshot
parent	1112883e19aaef24082f8d24f9b3bc214046caad	commit \| diff

bhyve: Fully reset the fwctl state machine if the guest requests a reset.

If a guest tries to reset the fwctl device while a pending request was
in flight, the fwctl state machine can be left in an incomplete state.
Specifically, rinfo is not cleared.

Normally the state machine for fwctl alternates between REQ (receiving
request) and RESP (sending response) and ignores port writes while in
RESP or port reads while in REQ. Once a guest completes the writes to
the port to send a request, the state machine transitions to RESP and
ignores future writes.

However, if a guest writes a full request and then resets the fwctl
device, the state would transition to REQ without draining the pending
response or discarding the received request. Instead, additional
port writes after the reset were treated as new payload bytes, but
were appended to the previously-received request and could overflow
the fget_str buffer.

To fix, fully reset the fwctl state machine if the guest requests a
reset.

admbugs: 998
Approved by: so
Reviewed by: markj
Reported by: Omri Ben Bassat <t-benbassato@microsoft.com>
Security: FreeBSD-SA-23:07.bhyve
Security: CVE-2023-3494