Diffusion FreeBSD src repository 869d760cb9d7

bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon()
869d760cb9d7
Actions

Description

bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon()

Avoid a race condition when accessing guest memory, by reading memory
contents only once.

This has also been applied to _vq_record() in
sys/dev/beri/virtio/virtio.c, as per markj@'s suggestion.

Reported by: Synacktiv
Reviewed by: markj
Security: HYP-10
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45735

Details

Provenance

khorben_defora.org	Authored on Aug 27 2024, 1:57 PM
emaste	Committed on Sep 27 2024, 2:20 PM

Reviewer

markj

Differential Revision

Restricted Differential Revision

Parents

rG94693ec7c853: bhyve: initialize register value

Branches

Unknown

Tags

Unknown

Event Timeline

emaste committed rG869d760cb9d7: bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon() (authored by khorben_defora.org).Sep 27 2024, 2:20 PM

emaste added an edge: Restricted Differential Revision.

emaste mentioned this in rGed03c3099086: bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon().Oct 2 2024, 8:37 PM

emaste mentioned this in rG6eb7879f4261: bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon().

emaste mentioned this in rG9b11b889402a: bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon().Tue, Oct 29, 6:46 PM

emaste mentioned this in rG1c48a9b47821: bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon().Tue, Oct 29, 6:53 PM

emaste mentioned this in rG296083d6bdb3: bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon().

Changes (2)

Path

Size

sys/

dev/

beri/

virtio/

virtio.c

usr.sbin/

bhyve/

virtio.c

rG869d760cb9d7

View Options

sys/dev/beri/virtio/virtio.c