Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Oct 2024 20:55:00 GMT
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: b34a4edefb0a - main - bhyve: avoid buffer overflow in pci_vtcon_control_send
Message-ID:  <202410152055.49FKt0gI086055@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=b34a4edefb0a40ced9b17ffd640f52fe55edc1f5

commit b34a4edefb0a40ced9b17ffd640f52fe55edc1f5
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-10-02 21:44:37 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-15 20:54:19 +0000

    bhyve: avoid buffer overflow in pci_vtcon_control_send
    
    This is a follow-up to the fix for HYP-19, addressing another condition
    where an overflow might still occur. (Spotted by jhb@, thanks!)
    
    Reported by:    Synacktiv
    Reviewed by:    markj
    Security:       HYP-19
    Sponsored by:   Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D46882
---
 usr.sbin/bhyve/pci_virtio_console.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/bhyve/pci_virtio_console.c b/usr.sbin/bhyve/pci_virtio_console.c
index 4b957322b395..2950c2276942 100644
--- a/usr.sbin/bhyve/pci_virtio_console.c
+++ b/usr.sbin/bhyve/pci_virtio_console.c
@@ -572,6 +572,9 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc,
 	struct iovec iov;
 	int n;
 
+	if (len > SIZE_T_MAX - sizeof(struct pci_vtcon_control))
+		return;
+
 	vq = pci_vtcon_port_to_vq(&sc->vsc_control_port, true);
 
 	if (!vq_has_descs(vq))
@@ -580,11 +583,11 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc,
 	n = vq_getchain(vq, &iov, 1, &req);
 	assert(n == 1);
 
-	if (iov.iov_len < sizeof(struct pci_vtcon_control))
+	if (iov.iov_len < sizeof(struct pci_vtcon_control) + len)
 		goto out;
 
 	memcpy(iov.iov_base, ctrl, sizeof(struct pci_vtcon_control));
-	if (payload != NULL && len > 0)
+	if (len > 0)
 		memcpy((uint8_t *)iov.iov_base +
 		    sizeof(struct pci_vtcon_control), payload, len);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202410152055.49FKt0gI086055>