HomeFreeBSD

bhyve: avoid buffer overflow in pci_vtcon_control_send

Description

bhyve: avoid buffer overflow in pci_vtcon_control_send

The program copies an input buffer to an output buffer without verifying
that the size of the input buffer is less than the size of the output
buffer, leading to a buffer overflow.

Inside the function pci_vtcon_control_send, the length of the iov buffer
is not validated before copy of the payload.

Reported by: Synacktiv
Reviewed by: markj
Security: HYP-19
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46105

(cherry picked from commit 8934002959e02bcf5e3262730c3a731af95afb15)

This is a follow-up to the fix for HYP-19, addressing another condition
where an overflow might still occur. (Spotted by jhb@, thanks!)

Reported by: Synacktiv
Reviewed by: markj
Security: HYP-19
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46882

(cherry picked from commit b34a4edefb0a40ced9b17ffd640f52fe55edc1f5)
(cherry picked from commit c17d96fe79529b2490011e7c857739f41a7c3ce6)

Details

Provenance
khorben_defora.orgAuthored on Jul 24 2024, 6:23 PM
emasteCommitted on Thu, Oct 17, 12:34 PM
Reviewer
markj
Differential Revision
Restricted Differential Revision
Parents
rGe360f8c8fecc: mps/mpr: Add workaround for firmware not responding to IOC_FACTS or IOC_INIT
Branches
Unknown
Tags
Unknown