From owner-svn-src-all@freebsd.org Tue Dec 4 18:38:33 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5C95713168E7; Tue, 4 Dec 2018 18:38:33 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 01CEA6AE1E; Tue, 4 Dec 2018 18:38:33 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D892B10D1; Tue, 4 Dec 2018 18:38:32 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wB4IcWQu084952; Tue, 4 Dec 2018 18:38:32 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wB4IcWD3084949; Tue, 4 Dec 2018 18:38:32 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201812041838.wB4IcWD3084949@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 4 Dec 2018 18:38:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r341488 - in releng/11.2: . sys/conf usr.sbin/bhyve X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng/11.2: . sys/conf usr.sbin/bhyve X-SVN-Commit-Revision: 341488 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 01CEA6AE1E X-Spamd-Result: default: False [-0.33 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-0.45)[-0.447,0]; NEURAL_SPAM_SHORT(0.14)[0.144,0]; NEURAL_HAM_LONG(-0.03)[-0.031,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2018 18:38:33 -0000 Author: gordon Date: Tue Dec 4 18:38:32 2018 New Revision: 341488 URL: https://svnweb.freebsd.org/changeset/base/341488 Log: Fix insufficient bounds checking in bhyve(8) device model. [SA-18:14.bhyve] Submitted by: jhb Reported by: Reno Robert Approved by: so Security: FreeBSD-SA-18:14.bhyve Security: CVE-2018-17160 Modified: releng/11.2/UPDATING releng/11.2/sys/conf/newvers.sh releng/11.2/usr.sbin/bhyve/fwctl.c Modified: releng/11.2/UPDATING ============================================================================== --- releng/11.2/UPDATING Tue Dec 4 18:38:03 2018 (r341487) +++ releng/11.2/UPDATING Tue Dec 4 18:38:32 2018 (r341488) @@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20181204 p6 FreeBSD-SA-18:14.bhyve + + Fix insufficient bounds checking in bhyve(8) device model. + [SA-18:14.bhyve] + 20181127 p5 FreeBSD-SA-18:13.nfs FreeBSD-EN-18:13.icmp FreeBSD-EN-18:14.tzdata Modified: releng/11.2/sys/conf/newvers.sh ============================================================================== --- releng/11.2/sys/conf/newvers.sh Tue Dec 4 18:38:03 2018 (r341487) +++ releng/11.2/sys/conf/newvers.sh Tue Dec 4 18:38:32 2018 (r341488) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.2" -BRANCH="RELEASE-p5" +BRANCH="RELEASE-p6" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.2/usr.sbin/bhyve/fwctl.c ============================================================================== --- releng/11.2/usr.sbin/bhyve/fwctl.c Tue Dec 4 18:38:03 2018 (r341487) +++ releng/11.2/usr.sbin/bhyve/fwctl.c Tue Dec 4 18:38:32 2018 (r341488) @@ -77,8 +77,8 @@ static u_int ident_idx; struct op_info { int op; - int (*op_start)(int len); - void (*op_data)(uint32_t data, int len); + int (*op_start)(uint32_t len); + void (*op_data)(uint32_t data, uint32_t len); int (*op_result)(struct iovec **data); void (*op_done)(struct iovec *data); }; @@ -117,7 +117,7 @@ errop_set(int err) } static int -errop_start(int len) +errop_start(uint32_t len) { errop_code = ENOENT; @@ -126,7 +126,7 @@ errop_start(int len) } static void -errop_data(uint32_t data, int len) +errop_data(uint32_t data, uint32_t len) { /* ignore */ @@ -186,7 +186,7 @@ static int fget_cnt; static size_t fget_size; static int -fget_start(int len) +fget_start(uint32_t len) { if (len > FGET_STRSZ) @@ -198,7 +198,7 @@ fget_start(int len) } static void -fget_data(uint32_t data, int len) +fget_data(uint32_t data, uint32_t len) { *((uint32_t *) &fget_str[fget_cnt]) = data; @@ -283,8 +283,8 @@ static struct req_info { struct op_info *req_op; int resp_error; int resp_count; - int resp_size; - int resp_off; + size_t resp_size; + size_t resp_off; struct iovec *resp_biov; } rinfo; @@ -344,13 +344,14 @@ fwctl_request_start(void) static int fwctl_request_data(uint32_t value) { - int remlen; /* Make sure remaining size is >= 0 */ - rinfo.req_size -= sizeof(uint32_t); - remlen = MAX(rinfo.req_size, 0); + if (rinfo.req_size <= sizeof(uint32_t)) + rinfo.req_size = 0; + else + rinfo.req_size -= sizeof(uint32_t); - (*rinfo.req_op->op_data)(value, remlen); + (*rinfo.req_op->op_data)(value, rinfo.req_size); if (rinfo.req_size < sizeof(uint32_t)) { fwctl_request_done(); @@ -399,7 +400,7 @@ static int fwctl_response(uint32_t *retval) { uint32_t *dp; - int remlen; + ssize_t remlen; switch(rinfo.resp_count) { case 0: @@ -434,7 +435,7 @@ fwctl_response(uint32_t *retval) } if (rinfo.resp_count > 3 && - rinfo.resp_size - rinfo.resp_off <= 0) { + rinfo.resp_off >= rinfo.resp_size) { fwctl_response_done(); return (1); }