Page MenuHomeFreeBSD

bhyve virtio-scsi: Avoid out of bounds accesses to guest requests.
ClosedPublic

Authored by jhb on Aug 19 2022, 11:42 PM.
Tags
None
Referenced Files
F106703677: D36271.diff
Sat, Jan 4, 2:47 AM
Unknown Object (File)
Nov 16 2024, 9:47 AM
Unknown Object (File)
Nov 15 2024, 7:24 PM
Unknown Object (File)
Nov 15 2024, 5:16 PM
Unknown Object (File)
Oct 1 2024, 8:15 PM
Unknown Object (File)
Sep 28 2024, 5:43 PM
Unknown Object (File)
Sep 28 2024, 3:39 AM
Unknown Object (File)
Sep 25 2024, 1:57 AM

Details

Summary
  • Ignore I/O requests with insufficiently sized input or output buffers (those not containing compete request headers).
  • Ignore control requests with improperly sized buffers.
  • While here, explicitly zero the output header of an I/O request to avoid leaking malloc garbage from the host if the header is not fully populated.

PR: 264521
Reported by: Robert Morris <rtm@lcs.mit.edu>
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 47029
Build 43918: arc lint + arc unit

Event Timeline

jhb requested review of this revision.Aug 19 2022, 11:42 PM

I have only compiled this, I have not run-tested it as I don't have a virtio-scsi setup handy.

Looks good to me with one comment.

usr.sbin/bhyve/pci_virtio_scsi.c
375

I wonder whether we should be more relaxed here with < ? Can the structure grow in later versions?

This revision is now accepted and ready to land.Aug 20 2022, 9:03 PM
usr.sbin/bhyve/pci_virtio_scsi.c
375

There isn't a version in the struct, so I think this is a safe choice. We can always change this if and when we learn about a new/larger struct.

usr.sbin/bhyve/pci_virtio_scsi.c
375

The current 1.1 spec says the payload of both of these commands is a fixed size. I agree that we can relax this in the future if needed.