From nobody Wed Sep 04 21:07:28 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzZnY1T33z5VNjG; Wed, 04 Sep 2024 21:07:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzZnY13Z8z4VYQ; Wed, 4 Sep 2024 21:07:29 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725484049; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=D1GLF4pTsGytpK6NM+Pats8q7OaZf5ZWPPqrqfRyPHs=; b=Fw3V0cSZxV1xVvtsFmwFsq6SaZpwkJJIytlaWk+xeI+FhRrQKON9mZhPmEyoVObYbsAaKL 8j0tjnEo+wEeN5GZ1g1piCninwxQ/AKCO3EEgTGpcHSOo1F5u0to2Tg7s8d0KuOutCytMv R6qQKYTzvinor5briU99PIiQKrSkDqRKEI9Nq1lXBoQPMJgfvCCzSLslu5LCBhpR18LLSY jFVu6h0he0gZl7R9dK/FLstP0T0Z7rHtRjPAhACxf/DbwyCu9QzhMjNjlPMG/z3u39iJ6j SFBDGNGkNYAXiIgHa4S3oFONIKjkJ/rzzYk7UhCsh3nzQBCu+E0XT4pWZwab7Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725484049; a=rsa-sha256; cv=none; b=x+b/jm28m/pw8a65QkdjdY5im0WjpyeCm0AD3gJTCk4xzM+xeoU9DNdCWl3G7HjSuK5wpV CqoOUv7sJrd9cvRreOzQEUF2xArdtrCRawMkRy5M4hTHCShudQPunnY+ipv4a6VjhQ+5C1 noTeeL1UZ8Q+pCl1+PHKwyWMLahdPk99p3eqtviu93bN3fWB4zy5l4999HMc90x5sOd7Ck EVM581AGO9EJYeCpsQWDPdOzJoR5IWXQ9JuKsq3Db5QsrS5HetsvE57L0mtM8GrWDRDJac rguv74Igyn82+SWfVdntYFzochIRuDYKUBuAjNH7EMYpSQyGjKhQtlF/cqIuYA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725484049; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=D1GLF4pTsGytpK6NM+Pats8q7OaZf5ZWPPqrqfRyPHs=; b=urDWdCQLLdrryYUCCOGuR12u969ggQ9r3lBfday2czhSpe1ijBRT3c7YGfO4gYLgdQ/qOk iZtR02s2NmkEnsAllk+WS5HRKzkwDxboS9L01HBWkUr6TZEopuJjijrhAF5SGl2YHFPDdT KeHgE1O1Lm2jOfsrxTH4ofhf2bX5ZgU4M658epwh6E1Jvc1Lvs63u0dG78UqlcsrsD99IC VGdnv6M4Zbebq9XhxF03ZWSjMNT1l+xhXdr+qqZwdT2/0U0wwkLViVhq7n00h9V0pB8WFW xrB/Umvovh5DhPdMSszktc6nw9PqLD+IlrkSX/ioQ2uNVhuDw7Q76yasma/OCA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WzZnY05QvzgZb; Wed, 4 Sep 2024 21:07:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 484L7StO053146; Wed, 4 Sep 2024 21:07:28 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 484L7SDC053143; Wed, 4 Sep 2024 21:07:28 GMT (envelope-from git) Date: Wed, 4 Sep 2024 21:07:28 GMT Message-Id: <202409042107.484L7SDC053143@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: eab723be7542 - releng/14.1 - bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.1 X-Git-Reftype: branch X-Git-Commit: eab723be754290be0501f8d287afd812c6e80a03 Auto-Submitted: auto-generated The branch releng/14.1 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=eab723be754290be0501f8d287afd812c6e80a03 commit eab723be754290be0501f8d287afd812c6e80a03 Author: Pierre Pronchery AuthorDate: 2024-09-04 14:38:11 +0000 Commit: Ed Maste CommitDate: 2024-09-04 20:46:54 +0000 bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler The function tpm_ppi_mem_handler is vulnerable to buffer over-read and over-write, the MMIO handler serves the heap allocated structure tpm_ppi_qemu. The issue is that the structure size is smaller than 0x1000 and the handler does not validate the offset and size (sizeof is 0x15A while the handler allows up to 0x1000 bytes) Reported by: Synacktiv Reviewed by: corvink Security: FreeBSD-SA-24:10.bhyve Security: CVE-2024-41928 Security: HYP-01 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45980 (cherry picked from commit a06fc21e770a482c8915411ebc98c870e42dd29b) (cherry picked from commit 6ce4821f0859eb00e1754917e1471184755b6358) Approved by: so --- usr.sbin/bhyve/tpm_ppi_qemu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bhyve/tpm_ppi_qemu.c b/usr.sbin/bhyve/tpm_ppi_qemu.c index 8bea45ea3208..11a306077108 100644 --- a/usr.sbin/bhyve/tpm_ppi_qemu.c +++ b/usr.sbin/bhyve/tpm_ppi_qemu.c @@ -26,7 +26,7 @@ #include "tpm_ppi.h" #define TPM_PPI_ADDRESS 0xFED45000 -#define TPM_PPI_SIZE 0x1000 +#define TPM_PPI_SIZE 0x400 #define TPM_PPI_FWCFG_FILE "etc/tpm/config" @@ -101,7 +101,7 @@ tpm_ppi_init(void **sc) struct tpm_ppi_fwcfg *fwcfg = NULL; int error; - ppi = calloc(1, sizeof(*ppi)); + ppi = calloc(1, TPM_PPI_SIZE); if (ppi == NULL) { warnx("%s: failed to allocate acpi region for ppi", __func__); error = ENOMEM;