Diffusion FreeBSD src repository 6eb7879f4261

bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon()
6eb7879f4261
Actions

Description

bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon()

Avoid a race condition when accessing guest memory, by reading memory
contents only once.

This has also been applied to _vq_record() in
sys/dev/beri/virtio/virtio.c, as per markj@'s suggestion.

Reported by: Synacktiv
Reviewed by: markj
Security: HYP-10
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45735

(cherry picked from commit 869d760cb9d7a307faa2fbe8c1c2b238a81b74d4)
(cherry picked from commit ed03c309908687bdb9f71dc6d9c9c8a92c54fc20)

Details

Provenance

khorben_defora.org	Authored on Aug 27 2024, 1:57 PM
emaste	Committed on Oct 2 2024, 8:37 PM

Reviewer

markj

Differential Revision

Restricted Differential Revision

Parents

rG37bea3b062ea: pci_iov: Add a device_printf if out of bus numbers

Branches

Unknown

Tags

Unknown

Event Timeline

emaste committed rG6eb7879f4261: bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon() (authored by khorben_defora.org).Oct 2 2024, 8:37 PM

emaste added an edge: Restricted Differential Revision.

emaste mentioned this in rG1c48a9b47821: bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon().Tue, Oct 29, 6:53 PM

emaste mentioned this in rG296083d6bdb3: bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon().

Changes (2)

Path

Size

sys/

dev/

beri/

virtio/

virtio.c

usr.sbin/

bhyve/

virtio.c

rG6eb7879f4261

View Options

sys/dev/beri/virtio/virtio.c