HomeFreeBSD

ctl: fix Use-After-Free in ctl_write_buffer

Description

ctl: fix Use-After-Free in ctl_write_buffer

The virtio_scsi device allows a guest VM to directly send SCSI commands
to the kernel driver exposed on /dev/cam/ctl. This setup makes the
vulnerability directly accessible from VMs through the pci_virtio_scsi
bhyve device.

The function ctl_write_buffer sets the CTL_FLAG_ALLOCATED flag, causing
the kern_data_ptr to be freed when the command finishes processing.
However, the buffer is still stored in lun->write_buffer, leading to a
Use-After-Free vulnerability.

Since the buffer needs to persist indefinitely, so it can be accessed by
READ BUFFER, do not set CTL_FLAG_ALLOCATED.

Reported by: Synacktiv
Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>
Reviewed by: jhb
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-45063
Security: HYP-03
Sponsored by: Axcient
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46424

(cherry picked from commit 670b582db6cb827a8760df942ed8af0020a0b4d0)
(cherry picked from commit 29937d7a1a0a3061c6ae12b5b35cc32b03829501)

Details

Provenance
asomersAuthored on Sep 4 2024, 2:38 PM
emasteCommitted on Sep 4 2024, 3:52 PM
Reviewer
jhb
Differential Revision
Restricted Differential Revision
Parents
rG5920b7e6eea1: bhyve: fix off by one error in pci_xhci
Branches
Unknown
Tags
Unknown