Page MenuHomeFreeBSD

Several iov handling bugs in bhyve virtio-scsi backend

Authored by mav on Dec 6 2018, 10:24 PM.


  • buf_to_iov() does not use buflen parameter, allowing out of bound read.
  • buf_to_iov() leaks memory if seek argument > 0.
  • iov_to_buf() doesn't need to reallocate buffer for every segment.
  • there is no point to use size_t for iov counts, int is more then enough.
  • some iov function arguments can be constified.
  • pci_vtscsi_request_handle() used truncate_iov() incorrectly, allowing getting out of buffer and possibly corrupting data.
  • pci_vtscsi_controlq_notify() written returned status at wrong offset.
  • pci_vtscsi_controlq_notify() leaked one buffer per event.

Diff Detail

rS FreeBSD src repository
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

mav created this revision.Dec 6 2018, 10:24 PM
araujo edited reviewers, added: bhyve; removed: wg.Dec 7 2018, 4:59 AM
araujo added a subscriber: wg.
mav edited the summary of this revision. (Show Details)Dec 7 2018, 2:48 PM
araujo accepted this revision.Dec 7 2018, 7:25 PM


This revision is now accepted and ready to land.Dec 7 2018, 7:25 PM
This revision was automatically updated to reflect the committed changes.