HomeFreeBSD

ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes

Description

ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes

This vulnerability is directly accessible to a guest VM through the
pci_virtio_scsi bhyve device.

In the function ctl_report_supported_opcodes() accessible from the VM,
the option RSO_OPTIONS_OC_ASA does not check the requested
service_action value before accessing &ctl_cmd_table[].

Reported by: Synacktiv
Reviewed by: asomers
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-42416
Security: HYP-06
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46027

(cherry picked from commit af438acbfde3d25dbdc82b2b3d72380f0191e9d9)
(cherry picked from commit 803e0c2ab29bb6b715c38e82da4930d46590e8e0)
(cherry picked from commit c8afc072690fd7541159cfe76c544797a5b37bce)

Approved by: so

Details

Provenance
khorben_defora.orgAuthored on Sep 4 2024, 2:38 PM
emasteCommitted on Sep 4 2024, 8:29 PM
Reviewer
asomers
Differential Revision
Restricted Differential Revision
Parents
rG4752a984dc07: ctl: fix memory disclosure in read/write buffer commands
Branches
Unknown
Tags
Unknown