Page MenuHomeFreeBSD

Several iov handling bugs in bhyve virtio-scsi backend
ClosedPublic

Authored by mav on Dec 6 2018, 10:24 PM.
Tags
None
Referenced Files
Unknown Object (File)
Dec 22 2023, 9:57 PM
Unknown Object (File)
Dec 14 2023, 8:09 AM
Unknown Object (File)
Jun 27 2023, 3:21 AM
Unknown Object (File)
Jun 27 2023, 3:21 AM
Unknown Object (File)
Jun 27 2023, 3:19 AM
Unknown Object (File)
Jun 27 2023, 3:07 AM
Unknown Object (File)
Apr 12 2023, 5:50 AM
Unknown Object (File)
Apr 12 2023, 5:44 AM
Subscribers

Details

Summary
  • buf_to_iov() does not use buflen parameter, allowing out of bound read.
  • buf_to_iov() leaks memory if seek argument > 0.
  • iov_to_buf() doesn't need to reallocate buffer for every segment.
  • there is no point to use size_t for iov counts, int is more then enough.
  • some iov function arguments can be constified.
  • pci_vtscsi_request_handle() used truncate_iov() incorrectly, allowing getting out of buffer and possibly corrupting data.
  • pci_vtscsi_controlq_notify() written returned status at wrong offset.
  • pci_vtscsi_controlq_notify() leaked one buffer per event.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable