git: af438acbfde3 - main - ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 04 Sep 2024 14:46:18 UTC
The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=af438acbfde3d25dbdc82b2b3d72380f0191e9d9 commit af438acbfde3d25dbdc82b2b3d72380f0191e9d9 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2024-09-04 14:38:12 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-09-04 14:38:12 +0000 ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes This vulnerability is directly accessible to a guest VM through the pci_virtio_scsi bhyve device. In the function ctl_report_supported_opcodes() accessible from the VM, the option RSO_OPTIONS_OC_ASA does not check the requested service_action value before accessing &ctl_cmd_table[]. Reported by: Synacktiv Reviewed by: asomers Security: FreeBSD-SA-24:11.ctl Security: CVE-2024-42416 Security: HYP-06 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46027 --- sys/cam/ctl/ctl.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c index e58299951540..53858edc2a1d 100644 --- a/sys/cam/ctl/ctl.c +++ b/sys/cam/ctl/ctl.c @@ -7470,20 +7470,19 @@ ctl_report_supported_opcodes(struct ctl_scsiio *ctsio) case RSO_OPTIONS_OC_SA: if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0 || service_action >= 32) { - ctl_set_invalid_field(/*ctsio*/ ctsio, - /*sks_valid*/ 1, - /*command*/ 1, - /*field*/ 2, - /*bit_valid*/ 1, - /*bit*/ 2); - ctl_done((union ctl_io *)ctsio); - return (CTL_RETVAL_COMPLETE); + goto invalid; } - /* FALLTHROUGH */ + total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32; + break; case RSO_OPTIONS_OC_ASA: + if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) != 0 && + service_action >= 32) { + goto invalid; + } total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32; break; default: +invalid: ctl_set_invalid_field(/*ctsio*/ ctsio, /*sks_valid*/ 1, /*command*/ 1,