HomeFreeBSD
Diffusion FreeBSD src repository 50ca525bfe96

bhyve/nvme: Fix out-of-bounds read in NVMe log page
50ca525bfe96
Actions

Description

bhyve/nvme: Fix out-of-bounds read in NVMe log page

The function nvme_opc_get_log_page in the file usr.sbin/bhyve/pci_nvme.c
is vulnerable to buffer over-read. The value logoff is user controlled
but never checked against the value of logsize. Thus the difference:
logsize - logoff
can underflow.

Due to the sc structure layout, an attacker can dump internals fields of
sc and the content of next heap allocation.

Reported by: Synacktiv
Reviewed by: emaste, jhb
Security: HYP-07
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46021

(cherry picked from commit b0a24be007d83f7929de5b3fc320a29e6868067d)
(cherry picked from commit a5be19efbb7c6b07d574ef048b2ebade00440873)
(cherry picked from commit c8f75686adc6bc2078ade279d838cbc5b1745e71)

Details

Provenance
chuckAuthored on Sep 19 2024, 3:11 PM
emasteCommitted on Tue, Oct 29, 6:52 PM
Reviewer
emaste
Differential Revision
Restricted Differential Revision
Parents
rGc31be7380af7: Add UPDATING entries and bump revision.
Branches
Unknown
Tags
Unknown

Event Timeline

emaste committed rG50ca525bfe96: bhyve/nvme: Fix out-of-bounds read in NVMe log page (authored by chuck).Tue, Oct 29, 6:52 PM
emaste added an edge: Restricted Differential Revision.

Changes (1)

PathSize
usr.sbin/
bhyve/

rG50ca525bfe96

View Options

usr.sbin/bhyve/pci_nvme.c

Loading...