Date: Fri, 11 Nov 2022 01:24:36 GMT From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 1282bf40f7b9 - stable/12 - bhyve virtio-scsi: Avoid out of bounds accesses to guest requests. Message-ID: <202211110124.2AB1Oaa0027396@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/12 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=1282bf40f7b90af1fa90223125e10c8e4edb5c39 commit 1282bf40f7b90af1fa90223125e10c8e4edb5c39 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-08-29 22:36:11 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-11-11 01:13:19 +0000 bhyve virtio-scsi: Avoid out of bounds accesses to guest requests. - Ignore I/O requests with insufficiently sized input or output buffers (those not containing compete request headers). - Ignore control requests with improperly sized buffers. - While here, explicitly zero the output header of an I/O request to avoid leaking malloc garbage from the host if the header is not fully populated. PR: 264521 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: mav, emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36271 (cherry picked from commit bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd) --- usr.sbin/bhyve/pci_virtio_scsi.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/usr.sbin/bhyve/pci_virtio_scsi.c b/usr.sbin/bhyve/pci_virtio_scsi.c index 542098631f90..0bce6ef66613 100644 --- a/usr.sbin/bhyve/pci_virtio_scsi.c +++ b/usr.sbin/bhyve/pci_virtio_scsi.c @@ -363,14 +363,27 @@ pci_vtscsi_control_handle(struct pci_vtscsi_softc *sc, void *buf, struct pci_vtscsi_ctrl_an *an; uint32_t type; + if (bufsize < sizeof(uint32_t)) { + WPRINTF("ignoring truncated control request"); + return (0); + } + type = *(uint32_t *)buf; if (type == VIRTIO_SCSI_T_TMF) { + if (bufsize != sizeof(*tmf)) { + WPRINTF("ignoring tmf request with size %zu", bufsize); + return (0); + } tmf = (struct pci_vtscsi_ctrl_tmf *)buf; return (pci_vtscsi_tmf_handle(sc, tmf)); } if (type == VIRTIO_SCSI_T_AN_QUERY) { + if (bufsize != sizeof(*an)) { + WPRINTF("ignoring AN request with size %zu", bufsize); + return (0); + } an = (struct pci_vtscsi_ctrl_an *)buf; return (pci_vtscsi_an_handle(sc, an)); } @@ -467,6 +480,15 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q, struct iovec *iov_in, uint32_t ext_data_len = 0, ext_sg_entries = 0; int err; + if (count_iov(iov_out, niov_out) < VTSCSI_OUT_HEADER_LEN(sc)) { + WPRINTF("ignoring request with insufficient output"); + return (0); + } + if (count_iov(iov_in, niov_in) < VTSCSI_IN_HEADER_LEN(sc)) { + WPRINTF("ignoring request with incomplete header"); + return (0); + } + seek_iov(iov_in, niov_in, data_iov_in, &data_niov_in, VTSCSI_IN_HEADER_LEN(sc)); seek_iov(iov_out, niov_out, data_iov_out, &data_niov_out, @@ -476,7 +498,7 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q, struct iovec *iov_in, truncate_iov(iov_out, &niov_out, VTSCSI_OUT_HEADER_LEN(sc)); iov_to_buf(iov_in, niov_in, (void **)&cmd_rd); - cmd_wr = malloc(VTSCSI_OUT_HEADER_LEN(sc)); + cmd_wr = calloc(1, VTSCSI_OUT_HEADER_LEN(sc)); io = ctl_scsi_alloc_io(sc->vss_iid); ctl_scsi_zero_io(io);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202211110124.2AB1Oaa0027396>