Summary: | bhyve: pci_vtscsi_request_handle() can read beyond allocated heap object | ||
---|---|---|---|
Product: | Base System | Reporter: | Robert Morris <rtm> |
Component: | bhyve | Assignee: | John Baldwin <jhb> |
Status: | Closed FIXED | ||
Severity: | Affects Some People | CC: | emaste, jhb, virtualization |
Priority: | --- | Keywords: | needs-patch, needs-qa |
Version: | CURRENT | Flags: | koobs:
mfc-stable13?
koobs: mfc-stable12? |
Hardware: | Any | ||
OS: | Any |
Description
Robert Morris
2022-06-07 15:21:36 UTC
Similarly, pci_vtscsi_control_handle() ought to check bufsize >= sizeof(struct pci_vtscsi_ctrol_tmf) or _an. Potential fix available at https://reviews.FreeBSD.org/D36271 (note that it requires a cosmetic change in D36270 to compile). (In reply to John Baldwin from comment #2) Patch D36271 does fix the problem for me. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd commit bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-08-29 22:36:11 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-08-29 22:37:27 +0000 bhyve virtio-scsi: Avoid out of bounds accesses to guest requests. - Ignore I/O requests with insufficiently sized input or output buffers (those not containing compete request headers). - Ignore control requests with improperly sized buffers. - While here, explicitly zero the output header of an I/O request to avoid leaking malloc garbage from the host if the header is not fully populated. PR: 264521 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: mav, emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36271 usr.sbin/bhyve/pci_virtio_scsi.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b37b564ecf0a2e079acbd1866337a5c6ed739d73 commit b37b564ecf0a2e079acbd1866337a5c6ed739d73 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-08-29 22:36:11 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-11-11 01:10:18 +0000 bhyve virtio-scsi: Avoid out of bounds accesses to guest requests. - Ignore I/O requests with insufficiently sized input or output buffers (those not containing compete request headers). - Ignore control requests with improperly sized buffers. - While here, explicitly zero the output header of an I/O request to avoid leaking malloc garbage from the host if the header is not fully populated. PR: 264521 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: mav, emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36271 (cherry picked from commit bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd) usr.sbin/bhyve/pci_virtio_scsi.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=1282bf40f7b90af1fa90223125e10c8e4edb5c39 commit 1282bf40f7b90af1fa90223125e10c8e4edb5c39 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-08-29 22:36:11 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-11-11 01:13:19 +0000 bhyve virtio-scsi: Avoid out of bounds accesses to guest requests. - Ignore I/O requests with insufficiently sized input or output buffers (those not containing compete request headers). - Ignore control requests with improperly sized buffers. - While here, explicitly zero the output header of an I/O request to avoid leaking malloc garbage from the host if the header is not fully populated. PR: 264521 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: mav, emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36271 (cherry picked from commit bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd) usr.sbin/bhyve/pci_virtio_scsi.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) Committed and merged to stable branches |