Diffusion FreeBSD src repository a5be19efbb7c

bhyve/nvme: Fix out-of-bounds read in NVMe log page
a5be19efbb7c
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

bhyve/nvme: Fix out-of-bounds read in NVMe log page

The function nvme_opc_get_log_page in the file usr.sbin/bhyve/pci_nvme.c
is vulnerable to buffer over-read. The value logoff is user controlled
but never checked against the value of logsize. Thus the difference:
logsize - logoff
can underflow.

Due to the sc structure layout, an attacker can dump internals fields of
sc and the content of next heap allocation.

Reported by: Synacktiv
Reviewed by: emaste, jhb
Security: HYP-07
Sponsored by: Alpha-Omega Project, The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46021

(cherry picked from commit b0a24be007d83f7929de5b3fc320a29e6868067d)

Details

Provenance

chuck	Authored on Sep 19 2024, 3:11 PM
emaste	Committed on Fri, Oct 11, 3:34 PM

Reviewer

Differential Revision

Restricted Differential Revision

Parents

rG2f29060f4613: pkg: improve error message

Branches

Unknown

Tags

Unknown

Event Timeline

emaste committed rGa5be19efbb7c: bhyve/nvme: Fix out-of-bounds read in NVMe log page (authored by chuck).Fri, Oct 11, 3:34 PM

emaste added an edge: Restricted Differential Revision.Fri, Oct 11, 3:42 PM

emaste mentioned this in rGc8f75686adc6: bhyve/nvme: Fix out-of-bounds read in NVMe log page.

emaste mentioned this in rG97a933932e96: bhyve/nvme: Fix out-of-bounds read in NVMe log page.Tue, Oct 29, 6:46 PM

emaste mentioned this in rG088b759baab5: bhyve/nvme: Fix out-of-bounds read in NVMe log page.Tue, Oct 29, 6:53 PM

emaste mentioned this in rG50ca525bfe96: bhyve/nvme: Fix out-of-bounds read in NVMe log page.

Changes (1)

Path

Size

usr.sbin/

bhyve/

rGa5be19efbb7c

usr.sbin/bhyve/pci_nvme.c

Loading...