Diffusion FreeBSD src repository 5d6576f4f000

bhyve: fix off by one error in pci_xhci
5d6576f4f000
Actions

Description

bhyve: fix off by one error in pci_xhci

The function pci_xhci_find_stream validates that the streamid is valid
but the bound check accepts up to ep_MaxPStreams included.

The bug results in an out-of-bounds write on the heap with controlled
data.

Reported by: Synacktiv
Reviewed by: jhb
Security: FreeBSD-SA-24:12.bhyve
Security: CVE-2024-32668
Security: HYP-04
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45994

(cherry picked from commit 5c9308a4130858598c76f3ae6e3e3dfb41ccfe68)
(cherry picked from commit 90af1336ed5e3c8556147325c4841c68639c4b63)
(cherry picked from commit 5920b7e6eea1e1c46b78656ef75944fc0709e887)

Approved by: so

Details

Provenance

khorben_defora.org	Authored on Wed, Sep 4, 2:38 PM
emaste	Committed on Wed, Sep 4, 8:29 PM

Reviewer

jhb

Differential Revision

Restricted Differential Revision

Parents

rG639494a3c1e6: ctl: avoid heap info leak in ctl_request_sense

Branches

Unknown

Tags

Unknown

Event Timeline

emaste committed rG5d6576f4f000: bhyve: fix off by one error in pci_xhci (authored by khorben_defora.org).Wed, Sep 4, 8:29 PM

emaste added an edge: Restricted Differential Revision.

Changes (1)

Path

Size

usr.sbin/

bhyve/

pci_xhci.c

rG5d6576f4f000

View Options