Page MenuHomeFreeBSD
Differential D46882

bhyve: buffer overflow in pci_vtcon_control_send
ClosedPublic
Actions

Authored by khorben on Oct 2 2024, 9:51 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, May 18, 5:15 PM
Unknown Object (File)
Tue, May 12, 4:59 PM
Unknown Object (File)
Tue, May 12, 11:51 AM
Unknown Object (File)
Tue, May 12, 6:53 AM
Unknown Object (File)
Tue, May 12, 6:52 AM
Unknown Object (File)
Mon, May 11, 10:14 PM
Unknown Object (File)
Thu, Apr 30, 10:37 AM
Unknown Object (File)
Tue, Apr 28, 3:02 PM
View All Files
Subscribers
bcran
imp
markj
rgrimes

Details

Reviewers
emaste
jrm
jhb
markj
Group Reviewers
bhyve
Commits
rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send
Summary

This is a follow-up to the fix for HYP-19, addressing another condition where an overflow might still occur. (Spotted by jhb@, thanks!)

Reported by: Synacktiv
Security: HYP-19
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

khorben created this revision.Oct 2 2024, 9:51 PM
khorben created this object with edit policy "Custom Policy".
Herald added a reviewer: bhyve. · View Herald TranscriptOct 2 2024, 9:51 PM
Herald added subscribers: bcran, rgrimes, imp. · View Herald Transcript
khorben requested review of this revision.Oct 2 2024, 9:51 PM
khorben added a parent revision: Restricted Differential Revision.
markj added a subscriber: markj.Oct 4 2024, 1:37 PM
markj added inline comments.
usr.sbin/bhyve/pci_virtio_console.c
587

This check should come before the vq_getchain() call. The vq_relchain() call at the out label contains an instance of the overflowing expression.

khorben updated this revision to Diff 144848.Oct 14 2024, 6:39 PM

Moved the sanity check for len to the beginning of pci_vtcon_control_send().

khorben added a reviewer: markj.Oct 14 2024, 6:56 PM
markj accepted this revision as: markj.Oct 15 2024, 8:41 PM
This revision is now accepted and ready to land.Oct 15 2024, 8:41 PM
Closed by commit rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send (authored by khorben, committed by emaste). · Explain WhyOct 15 2024, 8:55 PM
This revision was automatically updated to reflect the committed changes.
emaste added a commit: rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send.
emaste mentioned this in rGc17d96fe7952: bhyve: avoid buffer overflow in pci_vtcon_control_send.Oct 17 2024, 12:32 PM
emaste mentioned this in rGc4ec2918f26e: bhyve: avoid buffer overflow in pci_vtcon_control_send.Oct 17 2024, 12:34 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
7 lines

Diff 144848

View Options

usr.sbin/bhyve/pci_virtio_console.c

Loading...