Page MenuHomeFreeBSD

Several iov handling bugs in bhyve virtio-scsi backend
ClosedPublic

Authored by mav on Thu, Dec 6, 10:24 PM.

Details

Summary
  • buf_to_iov() does not use buflen parameter, allowing out of bound read.
  • buf_to_iov() leaks memory if seek argument > 0.
  • iov_to_buf() doesn't need to reallocate buffer for every segment.
  • there is no point to use size_t for iov counts, int is more then enough.
  • some iov function arguments can be constified.
  • pci_vtscsi_request_handle() used truncate_iov() incorrectly, allowing getting out of buffer and possibly corrupting data.
  • pci_vtscsi_controlq_notify() written returned status at wrong offset.
  • pci_vtscsi_controlq_notify() leaked one buffer per event.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

mav created this revision.Thu, Dec 6, 10:24 PM
araujo edited reviewers, added: bhyve; removed: wg.Fri, Dec 7, 4:59 AM
araujo added a subscriber: wg.
mav edited the summary of this revision. (Show Details)Fri, Dec 7, 2:48 PM
araujo accepted this revision.Fri, Dec 7, 7:25 PM

Lgtm!

This revision is now accepted and ready to land.Fri, Dec 7, 7:25 PM
This revision was automatically updated to reflect the committed changes.