Diffusion FreeBSD src repository 9b11b889402a

bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon()
9b11b889402a
Actions

Description

bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon()

Avoid a race condition when accessing guest memory, by reading memory
contents only once.

This has also been applied to _vq_record() in
sys/dev/beri/virtio/virtio.c, as per markj@'s suggestion.

Reported by: Synacktiv
Reviewed by: markj
Security: HYP-10
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45735

(cherry picked from commit 869d760cb9d7a307faa2fbe8c1c2b238a81b74d4)
(cherry picked from commit ed03c309908687bdb9f71dc6d9c9c8a92c54fc20)

Details

Provenance

khorben_defora.org	Authored on Aug 27 2024, 1:57 PM
emaste	Committed on Tue, Oct 29, 6:43 PM

Reviewer

markj

Differential Revision

Restricted Differential Revision

Parents

rG97a933932e96: bhyve/nvme: Fix out-of-bounds read in NVMe log page

Branches

Unknown

Tags

Unknown

Event Timeline

emaste committed rG9b11b889402a: bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon() (authored by khorben_defora.org).Tue, Oct 29, 6:43 PM

emaste added an edge: Restricted Differential Revision.Tue, Oct 29, 6:46 PM

Changes (2)

Path

Size

sys/

dev/

beri/

virtio/

virtio.c

usr.sbin/

bhyve/

virtio.c

rG9b11b889402a

View Options

sys/dev/beri/virtio/virtio.c