Diffusion FreeBSD src repository 64b0f52be2c9

ctl: limit memory allocation in pci_virtio_scsi
64b0f52be2c9
Actions

Description

ctl: limit memory allocation in pci_virtio_scsi

The virtio_scsi device allows a VM guest to directly send SCSI commands
(ctsio->cdb array) to the kernel driver exposed on /dev/cam/ctl
(ctl.ko).

All kernel commands accessible from the guest are defined by
ctl_cmd_table.

The command ctl_persistent_reserve_out (cdb[0]=0x5F and cbd[1]=0) allows
the caller to call malloc() with an arbitrary size (uint32_t). This can
be used by the guest to overload the kernel memory (DOS attack).

Reported by: Synacktiv
Reviewed by: asomers
Security: HYP-08
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46044

Details

Provenance

khorben_defora.org	Authored on Jul 19 2024, 5:32 PM
emaste	Committed on Fri, Oct 4, 12:22 AM

Reviewer

asomers

Differential Revision

Restricted Differential Revision

Parents

rG593d7a1634b5: apcidump: Add dumping SPCR

Branches

Unknown

Tags

Unknown

Event Timeline

emaste committed rG64b0f52be2c9: ctl: limit memory allocation in pci_virtio_scsi (authored by khorben_defora.org).Fri, Oct 4, 12:22 AM

emaste added an edge: Restricted Differential Revision.

Changes (1)

Path

Size

sys/

cam/

ctl/

ctl.c

rG64b0f52be2c9

View Options