HomeFreeBSD

bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler

Description

bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler

The function tpm_ppi_mem_handler is vulnerable to buffer over-read and
over-write, the MMIO handler serves the heap allocated structure
tpm_ppi_qemu.
The issue is that the structure size is smaller than 0x1000 and the
handler does not validate the offset and size (sizeof is 0x15A while the
handler allows up to 0x1000 bytes)

Reported by: Synacktiv
Reviewed by: corvink
Security: FreeBSD-SA-24:10.bhyve
Security: CVE-2024-41928
Security: HYP-01
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45980

Details

Provenance
khorben_defora.orgAuthored on Sep 4 2024, 2:38 PM
emasteCommitted on Sep 4 2024, 2:38 PM
Reviewer
corvink
Differential Revision
Restricted Differential Revision
Parents
rG01f43479b592: ipsec: Drain async ipsec_offload work when destroying a vnet
Branches
Unknown
Tags
Unknown