Page MenuHomeFreeBSD
Differential D46882

bhyve: buffer overflow in pci_vtcon_control_send
ClosedPublic
Actions

Authored by khorben_defora.org on Oct 2 2024, 9:51 PM.
Tags
None
Referenced Files
F102041935: D46882.diff
Wed, Nov 6, 9:24 PM
Unknown Object (File)
Thu, Oct 24, 7:50 PM
Unknown Object (File)
Tue, Oct 15, 8:55 PM
Unknown Object (File)
Tue, Oct 8, 9:08 AM
Unknown Object (File)
Tue, Oct 8, 3:46 AM
Unknown Object (File)
Tue, Oct 8, 3:46 AM
Unknown Object (File)
Tue, Oct 8, 3:12 AM
Unknown Object (File)
Mon, Oct 7, 10:26 PM
View All 10 Files
Subscribers
bcran
imp
markj
rgrimes

Details

Reviewers
emaste
jrm
jhb
markj
Group Reviewers
bhyve
Commits
rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send
Summary

This is a follow-up to the fix for HYP-19, addressing another condition where an overflow might still occur. (Spotted by jhb@, thanks!)

Reported by: Synacktiv
Security: HYP-19
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

khorben_defora.org created this revision.Oct 2 2024, 9:51 PM
khorben_defora.org created this object with edit policy "Custom Policy".
Herald added a reviewer: bhyve. · View Herald TranscriptOct 2 2024, 9:51 PM
Herald added subscribers: bcran, rgrimes, imp. · View Herald Transcript
khorben_defora.org requested review of this revision.Oct 2 2024, 9:51 PM
khorben_defora.org added a parent revision: Restricted Differential Revision.
markj added a subscriber: markj.Oct 4 2024, 1:37 PM
markj added inline comments.
usr.sbin/bhyve/pci_virtio_console.c
587

This check should come before the vq_getchain() call. The vq_relchain() call at the out label contains an instance of the overflowing expression.

khorben_defora.org updated this revision to Diff 144848.Mon, Oct 14, 6:39 PM

Moved the sanity check for len to the beginning of pci_vtcon_control_send().

khorben_defora.org added a reviewer: markj.Mon, Oct 14, 6:56 PM
markj accepted this revision as: markj.Tue, Oct 15, 8:41 PM
This revision is now accepted and ready to land.Tue, Oct 15, 8:41 PM
Closed by commit rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send (authored by khorben_defora.org, committed by emaste). · Explain WhyTue, Oct 15, 8:55 PM
This revision was automatically updated to reflect the committed changes.
emaste added a commit: rGb34a4edefb0a: bhyve: avoid buffer overflow in pci_vtcon_control_send.
emaste mentioned this in rGc17d96fe7952: bhyve: avoid buffer overflow in pci_vtcon_control_send.Thu, Oct 17, 12:32 PM
emaste mentioned this in rGc4ec2918f26e: bhyve: avoid buffer overflow in pci_vtcon_control_send.Thu, Oct 17, 12:34 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
7 lines

Diff 144848

View Options

usr.sbin/bhyve/pci_virtio_console.c

Loading...