[Bug 264521] bhyve's pci_vtscsi_request_handle() can read beyond allocated heap object

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264521

            Bug ID: 264521
           Summary: bhyve's pci_vtscsi_request_handle() can read beyond
                    allocated heap object
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bhyve
          Assignee: virtualization@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Bhyve's pci_vtscsi_request_handle() says:

        iov_to_buf(iov_in, niov_in, (void **)&cmd_rd);
        ...;
        io->io_hdr.nexus.targ_lun = pci_vtscsi_get_lun(cmd_rd->lun);
        // and further uses of cmd_rd

If the guest driver provided no readable virtio descriptors, then
niov_in will be zero, and iov_to_buf() will cause cmd_rd to point to a
zero-length heap object. If there is a readable descriptor, but it's
smaller than sizeof(cmd_rd), there's also a problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.