Date: Wed, 4 Sep 2024 15:51:07 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 803e0c2ab29b - stable/14 - ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes Message-ID: <202409041551.484Fp7gJ015579@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/14 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=803e0c2ab29bb6b715c38e82da4930d46590e8e0 commit 803e0c2ab29bb6b715c38e82da4930d46590e8e0 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2024-09-04 14:38:12 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-09-04 14:59:53 +0000 ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes This vulnerability is directly accessible to a guest VM through the pci_virtio_scsi bhyve device. In the function ctl_report_supported_opcodes() accessible from the VM, the option RSO_OPTIONS_OC_ASA does not check the requested service_action value before accessing &ctl_cmd_table[]. Reported by: Synacktiv Reviewed by: asomers Security: FreeBSD-SA-24:11.ctl Security: CVE-2024-42416 Security: HYP-06 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46027 (cherry picked from commit af438acbfde3d25dbdc82b2b3d72380f0191e9d9) --- sys/cam/ctl/ctl.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c index b9013e84ef83..0e0d79d15d8f 100644 --- a/sys/cam/ctl/ctl.c +++ b/sys/cam/ctl/ctl.c @@ -7514,20 +7514,19 @@ ctl_report_supported_opcodes(struct ctl_scsiio *ctsio) case RSO_OPTIONS_OC_SA: if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0 || service_action >= 32) { - ctl_set_invalid_field(/*ctsio*/ ctsio, - /*sks_valid*/ 1, - /*command*/ 1, - /*field*/ 2, - /*bit_valid*/ 1, - /*bit*/ 2); - ctl_done((union ctl_io *)ctsio); - return (CTL_RETVAL_COMPLETE); + goto invalid; } - /* FALLTHROUGH */ + total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32; + break; case RSO_OPTIONS_OC_ASA: + if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) != 0 && + service_action >= 32) { + goto invalid; + } total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32; break; default: +invalid: ctl_set_invalid_field(/*ctsio*/ ctsio, /*sks_valid*/ 1, /*command*/ 1,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202409041551.484Fp7gJ015579>