Diffusion FreeBSD src repository a06fc21e770a

bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler
a06fc21e770a
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler

The function tpm_ppi_mem_handler is vulnerable to buffer over-read and
over-write, the MMIO handler serves the heap allocated structure
tpm_ppi_qemu.
The issue is that the structure size is smaller than 0x1000 and the
handler does not validate the offset and size (sizeof is 0x15A while the
handler allows up to 0x1000 bytes)

Reported by: Synacktiv
Reviewed by: corvink
Security: FreeBSD-SA-24:10.bhyve
Security: CVE-2024-41928
Security: HYP-01
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45980

Details

Provenance

khorben_defora.org	Authored on Sep 4 2024, 2:38 PM
emaste	Committed on Sep 4 2024, 2:38 PM

Reviewer

Differential Revision

Restricted Differential Revision

Parents

rG01f43479b592: ipsec: Drain async ipsec_offload work when destroying a vnet

Branches

Unknown

Tags

Unknown

Event Timeline

emaste committed rGa06fc21e770a: bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler (authored by khorben_defora.org).Sep 4 2024, 2:38 PM

emaste added an edge: Restricted Differential Revision.Sep 4 2024, 2:40 PM

emaste mentioned this in rG6ce4821f0859: bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler.Sep 4 2024, 3:42 PM

emaste mentioned this in rG429f200688ca: bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler.Sep 4 2024, 8:54 PM

emaste mentioned this in rGeab723be7542: bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler.Sep 4 2024, 9:07 PM

Changes (1)

Path

Size

usr.sbin/

bhyve/

rGa06fc21e770a

usr.sbin/bhyve/tpm_ppi_qemu.c

Loading...