git: f368a02e1013 - releng/13.3 - ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 04 Sep 2024 20:29:43 UTC
The branch releng/13.3 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=f368a02e1013b0d669f77d5a606ef76468b903a1 commit f368a02e1013b0d669f77d5a606ef76468b903a1 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2024-09-04 14:38:12 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-09-04 20:29:13 +0000 ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes This vulnerability is directly accessible to a guest VM through the pci_virtio_scsi bhyve device. In the function ctl_report_supported_opcodes() accessible from the VM, the option RSO_OPTIONS_OC_ASA does not check the requested service_action value before accessing &ctl_cmd_table[]. Reported by: Synacktiv Reviewed by: asomers Security: FreeBSD-SA-24:11.ctl Security: CVE-2024-42416 Security: HYP-06 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46027 (cherry picked from commit af438acbfde3d25dbdc82b2b3d72380f0191e9d9) (cherry picked from commit 803e0c2ab29bb6b715c38e82da4930d46590e8e0) (cherry picked from commit c8afc072690fd7541159cfe76c544797a5b37bce) Approved by: so --- sys/cam/ctl/ctl.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c index 6fbe6bc5a484..5d4dbd295f20 100644 --- a/sys/cam/ctl/ctl.c +++ b/sys/cam/ctl/ctl.c @@ -7513,20 +7513,19 @@ ctl_report_supported_opcodes(struct ctl_scsiio *ctsio) case RSO_OPTIONS_OC_SA: if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0 || service_action >= 32) { - ctl_set_invalid_field(/*ctsio*/ ctsio, - /*sks_valid*/ 1, - /*command*/ 1, - /*field*/ 2, - /*bit_valid*/ 1, - /*bit*/ 2); - ctl_done((union ctl_io *)ctsio); - return (CTL_RETVAL_COMPLETE); + goto invalid; } - /* FALLTHROUGH */ + total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32; + break; case RSO_OPTIONS_OC_ASA: + if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) != 0 && + service_action >= 32) { + goto invalid; + } total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32; break; default: +invalid: ctl_set_invalid_field(/*ctsio*/ ctsio, /*sks_valid*/ 1, /*command*/ 1,