git: b37b564ecf0a - stable/13 - bhyve virtio-scsi: Avoid out of bounds accesses to guest requests.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 11 Nov 2022 01:24:28 UTC
The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=b37b564ecf0a2e079acbd1866337a5c6ed739d73 commit b37b564ecf0a2e079acbd1866337a5c6ed739d73 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-08-29 22:36:11 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-11-11 01:10:18 +0000 bhyve virtio-scsi: Avoid out of bounds accesses to guest requests. - Ignore I/O requests with insufficiently sized input or output buffers (those not containing compete request headers). - Ignore control requests with improperly sized buffers. - While here, explicitly zero the output header of an I/O request to avoid leaking malloc garbage from the host if the header is not fully populated. PR: 264521 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: mav, emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36271 (cherry picked from commit bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd) --- usr.sbin/bhyve/pci_virtio_scsi.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/usr.sbin/bhyve/pci_virtio_scsi.c b/usr.sbin/bhyve/pci_virtio_scsi.c index a960afd21317..563798f19b07 100644 --- a/usr.sbin/bhyve/pci_virtio_scsi.c +++ b/usr.sbin/bhyve/pci_virtio_scsi.c @@ -364,14 +364,27 @@ pci_vtscsi_control_handle(struct pci_vtscsi_softc *sc, void *buf, struct pci_vtscsi_ctrl_an *an; uint32_t type; + if (bufsize < sizeof(uint32_t)) { + WPRINTF("ignoring truncated control request"); + return (0); + } + type = *(uint32_t *)buf; if (type == VIRTIO_SCSI_T_TMF) { + if (bufsize != sizeof(*tmf)) { + WPRINTF("ignoring tmf request with size %zu", bufsize); + return (0); + } tmf = (struct pci_vtscsi_ctrl_tmf *)buf; return (pci_vtscsi_tmf_handle(sc, tmf)); } if (type == VIRTIO_SCSI_T_AN_QUERY) { + if (bufsize != sizeof(*an)) { + WPRINTF("ignoring AN request with size %zu", bufsize); + return (0); + } an = (struct pci_vtscsi_ctrl_an *)buf; return (pci_vtscsi_an_handle(sc, an)); } @@ -468,6 +481,15 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q, struct iovec *iov_in, uint32_t ext_data_len = 0, ext_sg_entries = 0; int err, nxferred; + if (count_iov(iov_out, niov_out) < VTSCSI_OUT_HEADER_LEN(sc)) { + WPRINTF("ignoring request with insufficient output"); + return (0); + } + if (count_iov(iov_in, niov_in) < VTSCSI_IN_HEADER_LEN(sc)) { + WPRINTF("ignoring request with incomplete header"); + return (0); + } + seek_iov(iov_in, niov_in, data_iov_in, &data_niov_in, VTSCSI_IN_HEADER_LEN(sc)); seek_iov(iov_out, niov_out, data_iov_out, &data_niov_out, @@ -477,7 +499,7 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q, struct iovec *iov_in, truncate_iov(iov_out, &niov_out, VTSCSI_OUT_HEADER_LEN(sc)); iov_to_buf(iov_in, niov_in, (void **)&cmd_rd); - cmd_wr = malloc(VTSCSI_OUT_HEADER_LEN(sc)); + cmd_wr = calloc(1, VTSCSI_OUT_HEADER_LEN(sc)); io = ctl_scsi_alloc_io(sc->vss_iid); ctl_scsi_zero_io(io);