Page MenuHomeFreeBSD
Differential D46882

bhyve: buffer overflow in pci_vtcon_control_send
ClosedPublic
Actions

Authored by khorben_defora.org on Wed, Oct 2, 9:51 PM.
Tags
None
Referenced Files
F100469803: D46882.diff
Tue, Oct 15, 8:55 PM
Unknown Object (File)
Tue, Oct 8, 9:08 AM
Unknown Object (File)
Tue, Oct 8, 3:46 AM
Unknown Object (File)
Tue, Oct 8, 3:46 AM
Unknown Object (File)
Tue, Oct 8, 3:12 AM
Unknown Object (File)
Mon, Oct 7, 10:26 PM
Unknown Object (File)
Mon, Oct 7, 12:48 AM
Unknown Object (File)
Thu, Oct 3, 6:25 PM
Subscribers
bcran
imp
markj
rgrimes

Details

Reviewers
emaste
jrm
jhb
markj
Group Reviewers
bhyve
Commits
rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send
Summary

This is a follow-up to the fix for HYP-19, addressing another condition where an overflow might still occur. (Spotted by jhb@, thanks!)

Reported by: Synacktiv
Security: HYP-19
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

khorben_defora.org created this revision.Wed, Oct 2, 9:51 PM
khorben_defora.org created this object with edit policy "Custom Policy".
Herald added a reviewer: bhyve. · View Herald TranscriptWed, Oct 2, 9:51 PM
Herald added subscribers: bcran, rgrimes, imp. · View Herald Transcript
khorben_defora.org requested review of this revision.Wed, Oct 2, 9:51 PM
khorben_defora.org added a parent revision: Restricted Differential Revision.
markj added a subscriber: markj.Fri, Oct 4, 1:37 PM
markj added inline comments.
usr.sbin/bhyve/pci_virtio_console.c
587

This check should come before the vq_getchain() call. The vq_relchain() call at the out label contains an instance of the overflowing expression.

khorben_defora.org updated this revision to Diff 144848.Mon, Oct 14, 6:39 PM

Moved the sanity check for len to the beginning of pci_vtcon_control_send().

khorben_defora.org added a reviewer: markj.Mon, Oct 14, 6:56 PM
markj accepted this revision as: markj.Tue, Oct 15, 8:41 PM
This revision is now accepted and ready to land.Tue, Oct 15, 8:41 PM
Closed by commit rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send (authored by khorben_defora.org, committed by emaste). · Explain WhyTue, Oct 15, 8:55 PM
This revision was automatically updated to reflect the committed changes.
emaste added a commit: rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send.

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
7 lines

Diff 144954

View Options

usr.sbin/bhyve/pci_virtio_console.c

Loading...