Page MenuHomeFreeBSD
Differential D46882

bhyve: buffer overflow in pci_vtcon_control_send
ClosedPublic
Actions

Authored by khorben on Oct 2 2024, 9:51 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Oct 18, 4:41 AM
Unknown Object (File)
Mon, Oct 13, 6:59 AM
Unknown Object (File)
Wed, Oct 8, 6:01 PM
Unknown Object (File)
Sun, Oct 5, 9:42 AM
Unknown Object (File)
Fri, Oct 3, 5:21 PM
Unknown Object (File)
Fri, Oct 3, 3:15 PM
Unknown Object (File)
Thu, Oct 2, 7:27 AM
Unknown Object (File)
Fri, Sep 26, 11:43 PM
View All 74 Files
Subscribers
bcran
imp
markj
rgrimes

Details

Reviewers
emaste
jrm
jhb
markj
Group Reviewers
bhyve
Commits
rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send
Summary

This is a follow-up to the fix for HYP-19, addressing another condition where an overflow might still occur. (Spotted by jhb@, thanks!)

Reported by: Synacktiv
Security: HYP-19
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

khorben created this revision.Oct 2 2024, 9:51 PM
khorben created this object with edit policy "Custom Policy".
Herald added a reviewer: bhyve. · View Herald TranscriptOct 2 2024, 9:51 PM
Herald added subscribers: bcran, rgrimes, imp. · View Herald Transcript
khorben requested review of this revision.Oct 2 2024, 9:51 PM
khorben added a parent revision: Restricted Differential Revision.
markj added a subscriber: markj.Oct 4 2024, 1:37 PM
markj added inline comments.
usr.sbin/bhyve/pci_virtio_console.c
587

This check should come before the vq_getchain() call. The vq_relchain() call at the out label contains an instance of the overflowing expression.

khorben updated this revision to Diff 144848.Oct 14 2024, 6:39 PM

Moved the sanity check for len to the beginning of pci_vtcon_control_send().

khorben added a reviewer: markj.Oct 14 2024, 6:56 PM
markj accepted this revision as: markj.Oct 15 2024, 8:41 PM
This revision is now accepted and ready to land.Oct 15 2024, 8:41 PM
Closed by commit rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send (authored by khorben, committed by emaste). · Explain WhyOct 15 2024, 8:55 PM
This revision was automatically updated to reflect the committed changes.
emaste added a commit: rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send.
emaste mentioned this in rGc17d96fe7952: bhyve: avoid buffer overflow in pci_vtcon_control_send.Oct 17 2024, 12:32 PM
emaste mentioned this in rGc4ec2918f26e: bhyve: avoid buffer overflow in pci_vtcon_control_send.Oct 17 2024, 12:34 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
7 lines

Diff 144954

View Options

usr.sbin/bhyve/pci_virtio_console.c

Loading...