Date: Thu, 17 Oct 2024 12:34:25 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: c4ec2918f26e - stable/13 - bhyve: avoid buffer overflow in pci_vtcon_control_send Message-ID: <202410171234.49HCYPnW025675@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=c4ec2918f26e0277e7243ed4fa0ac890b1ce12cd commit c4ec2918f26e0277e7243ed4fa0ac890b1ce12cd Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2024-07-24 18:23:12 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-10-17 12:34:11 +0000 bhyve: avoid buffer overflow in pci_vtcon_control_send The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Inside the function pci_vtcon_control_send, the length of the iov buffer is not validated before copy of the payload. Reported by: Synacktiv Reviewed by: markj Security: HYP-19 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46105 (cherry picked from commit 8934002959e02bcf5e3262730c3a731af95afb15) This is a follow-up to the fix for HYP-19, addressing another condition where an overflow might still occur. (Spotted by jhb@, thanks!) Reported by: Synacktiv Reviewed by: markj Security: HYP-19 Sponsored by: Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46882 (cherry picked from commit b34a4edefb0a40ced9b17ffd640f52fe55edc1f5) (cherry picked from commit c17d96fe79529b2490011e7c857739f41a7c3ce6) --- usr.sbin/bhyve/pci_virtio_console.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr.sbin/bhyve/pci_virtio_console.c b/usr.sbin/bhyve/pci_virtio_console.c index a0bb8591811c..183dd1da934d 100644 --- a/usr.sbin/bhyve/pci_virtio_console.c +++ b/usr.sbin/bhyve/pci_virtio_console.c @@ -573,6 +573,9 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc, struct iovec iov; int n; + if (len > SIZE_T_MAX - sizeof(struct pci_vtcon_control)) + return; + vq = pci_vtcon_port_to_vq(&sc->vsc_control_port, true); if (!vq_has_descs(vq)) @@ -581,11 +584,15 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc, n = vq_getchain(vq, &iov, 1, &req); assert(n == 1); + if (iov.iov_len < sizeof(struct pci_vtcon_control) + len) + goto out; + memcpy(iov.iov_base, ctrl, sizeof(struct pci_vtcon_control)); - if (payload != NULL && len > 0) + if (len > 0) memcpy((uint8_t *)iov.iov_base + sizeof(struct pci_vtcon_control), payload, len); +out: vq_relchain(vq, req.idx, sizeof(struct pci_vtcon_control) + len); vq_endchains(vq, 1); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202410171234.49HCYPnW025675>