HomeFreeBSD
Diffusion FreeBSD src repository 429f200688ca

bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler
429f200688ca
Actions

Description

bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler

The function tpm_ppi_mem_handler is vulnerable to buffer over-read and
over-write, the MMIO handler serves the heap allocated structure
tpm_ppi_qemu.
The issue is that the structure size is smaller than 0x1000 and the
handler does not validate the offset and size (sizeof is 0x15A while the
handler allows up to 0x1000 bytes)

Reported by: Synacktiv
Reviewed by: corvink
Security: FreeBSD-SA-24:10.bhyve
Security: CVE-2024-41928
Security: HYP-01
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45980

(cherry picked from commit a06fc21e770a482c8915411ebc98c870e42dd29b)
(cherry picked from commit 6ce4821f0859eb00e1754917e1471184755b6358)

Approved by: so

Details

Provenance
khorben_defora.orgAuthored on Sep 4 2024, 2:38 PM
emasteCommitted on Sep 4 2024, 8:53 PM
Reviewer
corvink
Differential Revision
Restricted Differential Revision
Parents
rGb219ce1c5a93: libnv: verify that string is null terminated
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
usr.sbin/
bhyve/

rG429f200688ca

View Options

usr.sbin/bhyve/tpm_ppi_qemu.c

Loading...