Page MenuHomeFreeBSD
Differential D36271

bhyve virtio-scsi: Avoid out of bounds accesses to guest requests.
ClosedPublic
Actions

Authored by jhb on Aug 19 2022, 11:42 PM.
Tags
None
Referenced Files
F102675344: D36271.diff
Fri, Nov 15, 5:16 PM
Unknown Object (File)
Oct 1 2024, 8:15 PM
Unknown Object (File)
Sep 28 2024, 5:43 PM
Unknown Object (File)
Sep 28 2024, 3:39 AM
Unknown Object (File)
Sep 25 2024, 1:57 AM
Unknown Object (File)
Sep 23 2024, 3:20 AM
Unknown Object (File)
Sep 22 2024, 10:38 AM
Unknown Object (File)
Sep 22 2024, 9:58 AM
View All 45 Files
Subscribers
bcran
emaste
freqlabs
imp
rgrimes

Details

Reviewers
mav
emaste
Group Reviewers
bhyve
Commits
rG1282bf40f7b9: bhyve virtio-scsi: Avoid out of bounds accesses to guest requests.
rGb37b564ecf0a: bhyve virtio-scsi: Avoid out of bounds accesses to guest requests.
rGbb31aee26bd1: bhyve virtio-scsi: Avoid out of bounds accesses to guest requests.
Summary
  • Ignore I/O requests with insufficiently sized input or output buffers (those not containing compete request headers).
  • Ignore control requests with improperly sized buffers.
  • While here, explicitly zero the output header of an I/O request to avoid leaking malloc garbage from the host if the header is not fully populated.

PR: 264521
Reported by: Robert Morris <rtm@lcs.mit.edu>
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb created this revision.Aug 19 2022, 11:42 PM
Herald added a reviewer: bhyve. · View Herald TranscriptAug 19 2022, 11:42 PM
Herald added subscribers: bcran, rgrimes, imp. · View Herald Transcript
jhb requested review of this revision.Aug 19 2022, 11:42 PM
Harbormaster completed remote builds in B47029: Diff 109578.Aug 19 2022, 11:42 PM
jhb added a parent revision: D36270: bhyve virtio-scsi: Tidy warning and debug prints..Aug 19 2022, 11:42 PM
jhb added a comment.Aug 19 2022, 11:44 PM

I have only compiled this, I have not run-tested it as I don't have a virtio-scsi setup handy.

mav accepted this revision.Aug 20 2022, 9:03 PM

Looks good to me with one comment.

usr.sbin/bhyve/pci_virtio_scsi.c
375

I wonder whether we should be more relaxed here with < ? Can the structure grow in later versions?

This revision is now accepted and ready to land.Aug 20 2022, 9:03 PM
emaste added inline comments.Aug 29 2022, 12:59 AM
usr.sbin/bhyve/pci_virtio_scsi.c
375

There isn't a version in the struct, so I think this is a safe choice. We can always change this if and when we learn about a new/larger struct.

jhb added inline comments.Aug 29 2022, 5:18 PM
usr.sbin/bhyve/pci_virtio_scsi.c
375

The current 1.1 spec says the payload of both of these commands is a fixed size. I agree that we can relax this in the future if needed.

emaste accepted this revision.Aug 29 2022, 5:44 PM
Closed by commit rGbb31aee26bd1: bhyve virtio-scsi: Avoid out of bounds accesses to guest requests. (authored by jhb). · Explain WhyAug 29 2022, 10:39 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rGbb31aee26bd1: bhyve virtio-scsi: Avoid out of bounds accesses to guest requests..
jhb added a commit: rGb37b564ecf0a: bhyve virtio-scsi: Avoid out of bounds accesses to guest requests..Nov 11 2022, 1:24 AM
jhb added a commit: rG1282bf40f7b9: bhyve virtio-scsi: Avoid out of bounds accesses to guest requests..

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
24 lines

Diff 109976

View Options

usr.sbin/bhyve/pci_virtio_scsi.c

Loading...