git: 8934002959e0 - main - bhyve: avoid buffer overflow in pci_vtcon_control_send
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 30 Sep 2024 12:01:49 UTC
The branch main has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=8934002959e02bcf5e3262730c3a731af95afb15
commit 8934002959e02bcf5e3262730c3a731af95afb15
Author: Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-07-24 18:23:12 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-30 12:01:28 +0000
bhyve: avoid buffer overflow in pci_vtcon_control_send
The program copies an input buffer to an output buffer without verifying
that the size of the input buffer is less than the size of the output
buffer, leading to a buffer overflow.
Inside the function pci_vtcon_control_send, the length of the iov buffer
is not validated before copy of the payload.
Reported by: Synacktiv
Reviewed by: markj
Security: HYP-19
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46105
---
usr.sbin/bhyve/pci_virtio_console.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/usr.sbin/bhyve/pci_virtio_console.c b/usr.sbin/bhyve/pci_virtio_console.c
index 921cb29032cf..4b957322b395 100644
--- a/usr.sbin/bhyve/pci_virtio_console.c
+++ b/usr.sbin/bhyve/pci_virtio_console.c
@@ -580,11 +580,15 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc,
n = vq_getchain(vq, &iov, 1, &req);
assert(n == 1);
+ if (iov.iov_len < sizeof(struct pci_vtcon_control))
+ goto out;
+
memcpy(iov.iov_base, ctrl, sizeof(struct pci_vtcon_control));
if (payload != NULL && len > 0)
memcpy((uint8_t *)iov.iov_base +
sizeof(struct pci_vtcon_control), payload, len);
+out:
vq_relchain(vq, req.idx, sizeof(struct pci_vtcon_control) + len);
vq_endchains(vq, 1);
}