From nobody Fri Jul 22 15:01:46 2022 X-Original-To: virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LqCMG6kSRz4XPjt for ; Fri, 22 Jul 2022 15:01:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LqCMG3sv2z3LYX for ; Fri, 22 Jul 2022 15:01:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LqCMG2wmsz14k2 for ; Fri, 22 Jul 2022 15:01:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 26MF1kD4096737 for ; Fri, 22 Jul 2022 15:01:46 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 26MF1kum096736 for virtualization@FreeBSD.org; Fri, 22 Jul 2022 15:01:46 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 265385] lib9p's l9p_puqids() can write beyond the end of qids[] Date: Fri, 22 Jul 2022 15:01:46 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bhyve X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: virtualization@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-virtualization@freebsd.org X-BeenThere: freebsd-virtualization@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658502106; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tq4OoqKmz9FChL0t2bDuKvEy+rvMbD4D4KT1BfSrS9s=; b=MKmz8hUEy0l8yL9jlkTocHlAV6ikk4XVYjPiSaVoeE5qBzJtTiBtWILIErlp7xF6FHUpBN yViKHH10dR4OCx5Mik/zjxtKR24ErJE7YPEj4MPPW+fhkT8lgrl374d4rsVnYUUMVwyEOy Z14mY7Hw0XVQtZlN2s1Uw8IDGECG4Lux3Fc7nZwxFvpTZohSw7YM4ajX+9KHgrvEuYHdMS yOJmtdnF+E7DL3FBnuVWZlH9YKVx2koaaf6ZE6Ps981ta+moL35qX2WXhOA9h0WLaeye2c JLS0VcX/AxSCDsTjVOzuCsv62ycr3ky2uYOzcnbRw9ILDdMsWs/ucY6tVt0yEw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1658502106; a=rsa-sha256; cv=none; b=teNelQn/zAOKYt5IxfCuMzju61BYo8FtYAFQMrQquTOb+t71nbAwTp9wK5B+usxP0X/NOk a3zpXPMUMgjyQha3xzKcEExDQ65aWwyIGNiLVXDhcKD/qWtNETp2ORR3V68cJ0WomX8zG1 w5O4MRdfNMxqqx9X0zGLR/vX+nVoMLo0Q+ygqGRnKZpr6qmx9pJC/+YwHKFJDvPTkMMRyE q3J+vHAoIeqkH6PbeHcrOy7cmrZzPXW2FEBuDw3kE4P1fyNNb13jHnSYV54LphXoQmi5ig Jl6bZJtkAVsbmC01Qb6NwdeL+tFwCaajGPSPqy5T02X1Hhi/I0yUt63WFaxR0Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265385 Bug ID: 265385 Summary: lib9p's l9p_puqids() can write beyond the end of qids[] Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: rtm@lcs.mit.edu When a 9P server sends an L9P_RWALK reply, it specifies the number of qids enclosed as a 16-bit number. l9p_puqids() unpacks the specified number of qids into its qids argument, which is the wqid element of a struct l9p_f_rwalk: struct l9p_f_rwalk { struct l9p_hdr hdr; uint16_t nwqid; struct l9p_qid wqid[L9P_MAX_WELEM]; }; #define L9P_MAX_WELEM 256 l9p_puqids() doesn't check the server's number against this maximum: static ssize_t l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids) { size_t i, lim; ssize_t ret, r; r =3D l9p_pu16(msg, num); if (r > 0) { for (i =3D 0, lim =3D *num; i < lim; i++) { ret =3D l9p_puqid(msg, &qids[i]); if (ret < 0) return (-1); r +=3D ret; } } return (r); } So if a malicious or enthusiastic server sends back more than 256 qids, the client will write them beyond the end of wqid[]. --=20 You are receiving this mail because: You are the assignee for the bug.=