Page MenuHomeFreeBSD
Differential D46882

bhyve: buffer overflow in pci_vtcon_control_send
ClosedPublic
Actions

Authored by khorben_defora.org on Oct 2 2024, 9:51 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 24, 12:02 PM
Unknown Object (File)
Dec 23 2024, 7:06 AM
Unknown Object (File)
Dec 14 2024, 9:55 PM
Unknown Object (File)
Dec 4 2024, 6:45 PM
Unknown Object (File)
Nov 25 2024, 4:07 PM
Unknown Object (File)
Nov 22 2024, 11:57 AM
Unknown Object (File)
Nov 6 2024, 11:40 PM
Unknown Object (File)
Nov 6 2024, 11:31 PM
View All 18 Files
Subscribers
bcran
imp
markj
rgrimes

Details

Reviewers
emaste
jrm
jhb
markj
Group Reviewers
bhyve
Commits
rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send
Summary

This is a follow-up to the fix for HYP-19, addressing another condition where an overflow might still occur. (Spotted by jhb@, thanks!)

Reported by: Synacktiv
Security: HYP-19
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

khorben_defora.org created this revision.Oct 2 2024, 9:51 PM
khorben_defora.org created this object with edit policy "Custom Policy".
Herald added a reviewer: bhyve. · View Herald TranscriptOct 2 2024, 9:51 PM
Herald added subscribers: bcran, rgrimes, imp. · View Herald Transcript
khorben_defora.org requested review of this revision.Oct 2 2024, 9:51 PM
khorben_defora.org added a parent revision: Restricted Differential Revision.
markj added a subscriber: markj.Oct 4 2024, 1:37 PM
markj added inline comments.
usr.sbin/bhyve/pci_virtio_console.c
587

This check should come before the vq_getchain() call. The vq_relchain() call at the out label contains an instance of the overflowing expression.

khorben_defora.org updated this revision to Diff 144848.Oct 14 2024, 6:39 PM

Moved the sanity check for len to the beginning of pci_vtcon_control_send().

khorben_defora.org added a reviewer: markj.Oct 14 2024, 6:56 PM
markj accepted this revision as: markj.Oct 15 2024, 8:41 PM
This revision is now accepted and ready to land.Oct 15 2024, 8:41 PM
Closed by commit rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send (authored by khorben_defora.org, committed by emaste). · Explain WhyOct 15 2024, 8:55 PM
This revision was automatically updated to reflect the committed changes.
emaste added a commit: rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send.
emaste mentioned this in rGc17d96fe7952: bhyve: avoid buffer overflow in pci_vtcon_control_send.Oct 17 2024, 12:32 PM
emaste mentioned this in rGc4ec2918f26e: bhyve: avoid buffer overflow in pci_vtcon_control_send.Oct 17 2024, 12:34 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
7 lines

Diff 144954

View Options

usr.sbin/bhyve/pci_virtio_console.c

Loading...