HomeFreeBSD

bhyve/nvme: Fix out-of-bounds read in NVMe log page

Description

bhyve/nvme: Fix out-of-bounds read in NVMe log page

The function nvme_opc_get_log_page in the file usr.sbin/bhyve/pci_nvme.c
is vulnerable to buffer over-read. The value logoff is user controlled
but never checked against the value of logsize. Thus the difference:
logsize - logoff
can underflow.

Due to the sc structure layout, an attacker can dump internals fields of
sc and the content of next heap allocation.

Reported by: Synacktiv
Reviewed by: emaste, jhb
Security: HYP-07
Sponsored by: Alpha-Omega Project, The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46021

Details

Provenance
chuckAuthored on Sep 19 2024, 3:11 PM
Reviewer
emaste
Differential Revision
Restricted Differential Revision
Parents
rG7d893fce0d11: sesutil: Fix a typo in an error message
Branches
Unknown
Tags
Unknown