From nobody Wed Sep 04 15:42:29 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzRZY5PBFz5V70d; Wed, 04 Sep 2024 15:42:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzRZY4xHNz4R6p; Wed, 4 Sep 2024 15:42:29 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725464549; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bjl77afxF8BFGk4DiBlo6Mxbrrfewfv+C5qAV5LnO9I=; b=KbPGHa4nEv5mMb/z7bzCTS6Y+zdDfkuH22wvkM9bf+ZCd8ReCMVNu448/ewiPunNIXlNCm mt6nNgFefxz9LrVtdohZYBI6Pz036x9zTgq7Y8AinldUs8lANPdokEoz6W863LFsXFKqt1 OWkFRg95iJh3HSiCIhw6QeXyUeQtTsAq0z3Mgw6/T3AeqGuntel8Ywm5YGBs8mnGQF9kcO //rb3fULFMK/ziOJW8CxUVHn0XhZkPzvaRe9QDsv4V5oOF0BjpRvwCcz072L70T/vTTgpy LwPXqXR3rBgW440EdiJPDxmupYs9hR0+PvUDwT+lNfMFDjO1nmT30F/jtNzmIA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725464549; a=rsa-sha256; cv=none; b=IipHY1tlb6I3jWUl7KvZyyARiUNH+4A1qBau6unPBu0y4vK4zn0+JN2IMUJ70d4zPlPM1g ZwCCcF51Qb1WjM62qWZrn6U0jgE6ifLNhj8lG7iytx+Y9fOfAZZ7kVSFCvczFtxK9O5bjM 0bsRyQtbGdMNdHjdJteinX25P8J5gQihJ/FsQbLuEoeIPxxv6nLqlJ1iRSJ5HQPXxaiEyV sJzXgrIjrDNbNDcc2dWhl7sZdI63zlXHrATzFT+6dOPyCLGbYrc0q1QVPIW2wnfbZBifbM DOJe7U1FotNy4SDFD1QUUXOFc+oz5gyd7IpU8qaiwQPQPwaADK0uctyX0AgFnQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725464549; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bjl77afxF8BFGk4DiBlo6Mxbrrfewfv+C5qAV5LnO9I=; b=HSIkkvr3uf4YBQghtBdG4MNFXUIA48UtUCMfWPUaXZ3CM0/5JKllhHPUt/u3WjebJhN159 7pU5i7miLkrIf1e60mXKncZ7scu8G7/bJl9g2Fr1E11Z32gSTBAMdyMWy50UbgjONP1pqe QekUzThgviTB3ts3XqHl0IX4K6ApM6/gjh4TeD6LD0x8MHdkjrXkRjPY4UFtStZMtfCvQG EyVNX1vOZ18y25U3YpoZMy7CBsMUkQQcNGefYArAVAPmhfgpmf+HxQJ6uOV8xIMnFHs2oT /H1Md/jHx1Ew05nE5U2AyaWkLthw6ytaApaaB+HRjI8mcduLy73rxKK2tc/hfQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WzRZY4XdhzWMl; Wed, 4 Sep 2024 15:42:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 484FgTbf002461; Wed, 4 Sep 2024 15:42:29 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 484FgT6B002458; Wed, 4 Sep 2024 15:42:29 GMT (envelope-from git) Date: Wed, 4 Sep 2024 15:42:29 GMT Message-Id: <202409041542.484FgT6B002458@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 6ce4821f0859 - stable/14 - bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 6ce4821f0859eb00e1754917e1471184755b6358 Auto-Submitted: auto-generated The branch stable/14 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=6ce4821f0859eb00e1754917e1471184755b6358 commit 6ce4821f0859eb00e1754917e1471184755b6358 Author: Pierre Pronchery AuthorDate: 2024-09-04 14:38:11 +0000 Commit: Ed Maste CommitDate: 2024-09-04 14:59:23 +0000 bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler The function tpm_ppi_mem_handler is vulnerable to buffer over-read and over-write, the MMIO handler serves the heap allocated structure tpm_ppi_qemu. The issue is that the structure size is smaller than 0x1000 and the handler does not validate the offset and size (sizeof is 0x15A while the handler allows up to 0x1000 bytes) Reported by: Synacktiv Reviewed by: corvink Security: FreeBSD-SA-24:10.bhyve Security: CVE-2024-41928 Security: HYP-01 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45980 (cherry picked from commit a06fc21e770a482c8915411ebc98c870e42dd29b) --- usr.sbin/bhyve/tpm_ppi_qemu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bhyve/tpm_ppi_qemu.c b/usr.sbin/bhyve/tpm_ppi_qemu.c index da0edf84798f..ddc3fc0045b9 100644 --- a/usr.sbin/bhyve/tpm_ppi_qemu.c +++ b/usr.sbin/bhyve/tpm_ppi_qemu.c @@ -26,7 +26,7 @@ #include "tpm_ppi.h" #define TPM_PPI_ADDRESS 0xFED45000 -#define TPM_PPI_SIZE 0x1000 +#define TPM_PPI_SIZE 0x400 #define TPM_PPI_FWCFG_FILE "etc/tpm/config" @@ -101,7 +101,7 @@ tpm_ppi_init(void **sc) struct tpm_ppi_fwcfg *fwcfg = NULL; int error; - ppi = calloc(1, sizeof(*ppi)); + ppi = calloc(1, TPM_PPI_SIZE); if (ppi == NULL) { warnx("%s: failed to allocate acpi region for ppi", __func__); error = ENOMEM;