git: f368a02e1013 - releng/13.3 - ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Wed, 04 Sep 2024 20:29:43 UTC
The branch releng/13.3 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=f368a02e1013b0d669f77d5a606ef76468b903a1

commit f368a02e1013b0d669f77d5a606ef76468b903a1
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-09-04 14:38:12 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-04 20:29:13 +0000

    ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes
    
    This vulnerability is directly accessible to a guest VM through the
    pci_virtio_scsi bhyve device.
    
    In the function ctl_report_supported_opcodes() accessible from the VM,
    the option RSO_OPTIONS_OC_ASA does not check the requested
    service_action value before accessing &ctl_cmd_table[].
    
    Reported by:    Synacktiv
    Reviewed by:    asomers
    Security:       FreeBSD-SA-24:11.ctl
    Security:       CVE-2024-42416
    Security:       HYP-06
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D46027
    
    (cherry picked from commit af438acbfde3d25dbdc82b2b3d72380f0191e9d9)
    (cherry picked from commit 803e0c2ab29bb6b715c38e82da4930d46590e8e0)
    (cherry picked from commit c8afc072690fd7541159cfe76c544797a5b37bce)
    
    Approved by:    so
---
 sys/cam/ctl/ctl.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c
index 6fbe6bc5a484..5d4dbd295f20 100644
--- a/sys/cam/ctl/ctl.c
+++ b/sys/cam/ctl/ctl.c
@@ -7513,20 +7513,19 @@ ctl_report_supported_opcodes(struct ctl_scsiio *ctsio)
 	case RSO_OPTIONS_OC_SA:
 		if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0 ||
 		    service_action >= 32) {
-			ctl_set_invalid_field(/*ctsio*/ ctsio,
-					      /*sks_valid*/ 1,
-					      /*command*/ 1,
-					      /*field*/ 2,
-					      /*bit_valid*/ 1,
-					      /*bit*/ 2);
-			ctl_done((union ctl_io *)ctsio);
-			return (CTL_RETVAL_COMPLETE);
+			goto invalid;
 		}
-		/* FALLTHROUGH */
+		total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
+		break;
 	case RSO_OPTIONS_OC_ASA:
+		if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) != 0 &&
+		    service_action >= 32) {
+			goto invalid;
+		}
 		total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
 		break;
 	default:
+invalid:
 		ctl_set_invalid_field(/*ctsio*/ ctsio,
 				      /*sks_valid*/ 1,
 				      /*command*/ 1,