git: b37b564ecf0a - stable/13 - bhyve virtio-scsi: Avoid out of bounds accesses to guest requests.

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Fri, 11 Nov 2022 01:24:28 UTC
The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=b37b564ecf0a2e079acbd1866337a5c6ed739d73

commit b37b564ecf0a2e079acbd1866337a5c6ed739d73
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-08-29 22:36:11 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-11-11 01:10:18 +0000

    bhyve virtio-scsi: Avoid out of bounds accesses to guest requests.
    
    - Ignore I/O requests with insufficiently sized input or output
      buffers (those not containing compete request headers).
    
    - Ignore control requests with improperly sized buffers.
    
    - While here, explicitly zero the output header of an I/O request to
      avoid leaking malloc garbage from the host if the header is not
      fully populated.
    
    PR:             264521
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    mav, emaste
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D36271
    
    (cherry picked from commit bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd)
---
 usr.sbin/bhyve/pci_virtio_scsi.c | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/bhyve/pci_virtio_scsi.c b/usr.sbin/bhyve/pci_virtio_scsi.c
index a960afd21317..563798f19b07 100644
--- a/usr.sbin/bhyve/pci_virtio_scsi.c
+++ b/usr.sbin/bhyve/pci_virtio_scsi.c
@@ -364,14 +364,27 @@ pci_vtscsi_control_handle(struct pci_vtscsi_softc *sc, void *buf,
 	struct pci_vtscsi_ctrl_an *an;
 	uint32_t type;
 
+	if (bufsize < sizeof(uint32_t)) {
+		WPRINTF("ignoring truncated control request");
+		return (0);
+	}
+
 	type = *(uint32_t *)buf;
 
 	if (type == VIRTIO_SCSI_T_TMF) {
+		if (bufsize != sizeof(*tmf)) {
+			WPRINTF("ignoring tmf request with size %zu", bufsize);
+			return (0);
+		}
 		tmf = (struct pci_vtscsi_ctrl_tmf *)buf;
 		return (pci_vtscsi_tmf_handle(sc, tmf));
 	}
 
 	if (type == VIRTIO_SCSI_T_AN_QUERY) {
+		if (bufsize != sizeof(*an)) {
+			WPRINTF("ignoring AN request with size %zu", bufsize);
+			return (0);
+		}
 		an = (struct pci_vtscsi_ctrl_an *)buf;
 		return (pci_vtscsi_an_handle(sc, an));
 	}
@@ -468,6 +481,15 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q, struct iovec *iov_in,
 	uint32_t ext_data_len = 0, ext_sg_entries = 0;
 	int err, nxferred;
 
+	if (count_iov(iov_out, niov_out) < VTSCSI_OUT_HEADER_LEN(sc)) {
+		WPRINTF("ignoring request with insufficient output");
+		return (0);
+	}
+	if (count_iov(iov_in, niov_in) < VTSCSI_IN_HEADER_LEN(sc)) {
+		WPRINTF("ignoring request with incomplete header");
+		return (0);
+	}
+
 	seek_iov(iov_in, niov_in, data_iov_in, &data_niov_in,
 	    VTSCSI_IN_HEADER_LEN(sc));
 	seek_iov(iov_out, niov_out, data_iov_out, &data_niov_out,
@@ -477,7 +499,7 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q, struct iovec *iov_in,
 	truncate_iov(iov_out, &niov_out, VTSCSI_OUT_HEADER_LEN(sc));
 	iov_to_buf(iov_in, niov_in, (void **)&cmd_rd);
 
-	cmd_wr = malloc(VTSCSI_OUT_HEADER_LEN(sc));
+	cmd_wr = calloc(1, VTSCSI_OUT_HEADER_LEN(sc));
 	io = ctl_scsi_alloc_io(sc->vss_iid);
 	ctl_scsi_zero_io(io);