Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Sep 2024 15:53:53 GMT
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: c8afc072690f - stable/13 - ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes
Message-ID:  <202409041553.484Frrg4019852@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=c8afc072690fd7541159cfe76c544797a5b37bce

commit c8afc072690fd7541159cfe76c544797a5b37bce
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-09-04 14:38:12 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-04 15:52:33 +0000

    ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes
    
    This vulnerability is directly accessible to a guest VM through the
    pci_virtio_scsi bhyve device.
    
    In the function ctl_report_supported_opcodes() accessible from the VM,
    the option RSO_OPTIONS_OC_ASA does not check the requested
    service_action value before accessing &ctl_cmd_table[].
    
    Reported by:    Synacktiv
    Reviewed by:    asomers
    Security:       FreeBSD-SA-24:11.ctl
    Security:       CVE-2024-42416
    Security:       HYP-06
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D46027
    
    (cherry picked from commit af438acbfde3d25dbdc82b2b3d72380f0191e9d9)
    (cherry picked from commit 803e0c2ab29bb6b715c38e82da4930d46590e8e0)
---
 sys/cam/ctl/ctl.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c
index f9fec62249cb..b0f34cafac80 100644
--- a/sys/cam/ctl/ctl.c
+++ b/sys/cam/ctl/ctl.c
@@ -7513,20 +7513,19 @@ ctl_report_supported_opcodes(struct ctl_scsiio *ctsio)
 	case RSO_OPTIONS_OC_SA:
 		if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0 ||
 		    service_action >= 32) {
-			ctl_set_invalid_field(/*ctsio*/ ctsio,
-					      /*sks_valid*/ 1,
-					      /*command*/ 1,
-					      /*field*/ 2,
-					      /*bit_valid*/ 1,
-					      /*bit*/ 2);
-			ctl_done((union ctl_io *)ctsio);
-			return (CTL_RETVAL_COMPLETE);
+			goto invalid;
 		}
-		/* FALLTHROUGH */
+		total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
+		break;
 	case RSO_OPTIONS_OC_ASA:
+		if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) != 0 &&
+		    service_action >= 32) {
+			goto invalid;
+		}
 		total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
 		break;
 	default:
+invalid:
 		ctl_set_invalid_field(/*ctsio*/ ctsio,
 				      /*sks_valid*/ 1,
 				      /*command*/ 1,



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202409041553.484Frrg4019852>