HomeFreeBSD
Diffusion FreeBSD src repository 0a271608b328

ctl: fix Use-After-Free in ctl_write_buffer
0a271608b328
Actions

Description

ctl: fix Use-After-Free in ctl_write_buffer

The virtio_scsi device allows a guest VM to directly send SCSI commands
to the kernel driver exposed on /dev/cam/ctl. This setup makes the
vulnerability directly accessible from VMs through the pci_virtio_scsi
bhyve device.

The function ctl_write_buffer sets the CTL_FLAG_ALLOCATED flag, causing
the kern_data_ptr to be freed when the command finishes processing.
However, the buffer is still stored in lun->write_buffer, leading to a
Use-After-Free vulnerability.

Since the buffer needs to persist indefinitely, so it can be accessed by
READ BUFFER, do not set CTL_FLAG_ALLOCATED.

Reported by: Synacktiv
Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>
Reviewed by: jhb
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-45063
Security: HYP-03
Sponsored by: Axcient
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46424

(cherry picked from commit 670b582db6cb827a8760df942ed8af0020a0b4d0)
(cherry picked from commit 29937d7a1a0a3061c6ae12b5b35cc32b03829501)

Approved by: so

Details

Provenance
asomersAuthored on Wed, Sep 4, 2:38 PM
emasteCommitted on Wed, Sep 4, 8:54 PM
Reviewer
jhb
Differential Revision
Restricted Differential Revision
Parents
rG429f200688ca: bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler
Branches
Unknown
Tags
Unknown

Event Timeline

emaste committed rG0a271608b328: ctl: fix Use-After-Free in ctl_write_buffer (authored by asomers).Wed, Sep 4, 8:54 PM
emaste added an edge: Restricted Differential Revision.

Changes (2)

PathSize
sys/
cam/
ctl/

rG0a271608b328

View Options

sys/cam/ctl/ctl.c

Loading...
View Options

sys/cam/ctl/ctl_private.h

Loading...