[Bug 264521] bhyve: pci_vtscsi_request_handle() can read beyond allocated heap object

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 11 Nov 2022 01:25:29 UTC

--- Comment #5 from commit-hook@FreeBSD.org ---
A commit in branch stable/13 references this bug:


commit b37b564ecf0a2e079acbd1866337a5c6ed739d73
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-08-29 22:36:11 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-11-11 01:10:18 +0000

    bhyve virtio-scsi: Avoid out of bounds accesses to guest requests.

    - Ignore I/O requests with insufficiently sized input or output
      buffers (those not containing compete request headers).

    - Ignore control requests with improperly sized buffers.

    - While here, explicitly zero the output header of an I/O request to
      avoid leaking malloc garbage from the host if the header is not
      fully populated.

    PR:             264521
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    mav, emaste
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D36271

    (cherry picked from commit bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd)

 usr.sbin/bhyve/pci_virtio_scsi.c | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

You are receiving this mail because:
You are on the CC list for the bug.