git: 6ce4821f0859 - stable/14 - bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 04 Sep 2024 15:42:29 UTC
The branch stable/14 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=6ce4821f0859eb00e1754917e1471184755b6358
commit 6ce4821f0859eb00e1754917e1471184755b6358
Author: Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-09-04 14:38:11 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-04 14:59:23 +0000
bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler
The function tpm_ppi_mem_handler is vulnerable to buffer over-read and
over-write, the MMIO handler serves the heap allocated structure
tpm_ppi_qemu.
The issue is that the structure size is smaller than 0x1000 and the
handler does not validate the offset and size (sizeof is 0x15A while the
handler allows up to 0x1000 bytes)
Reported by: Synacktiv
Reviewed by: corvink
Security: FreeBSD-SA-24:10.bhyve
Security: CVE-2024-41928
Security: HYP-01
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45980
(cherry picked from commit a06fc21e770a482c8915411ebc98c870e42dd29b)
---
usr.sbin/bhyve/tpm_ppi_qemu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr.sbin/bhyve/tpm_ppi_qemu.c b/usr.sbin/bhyve/tpm_ppi_qemu.c
index da0edf84798f..ddc3fc0045b9 100644
--- a/usr.sbin/bhyve/tpm_ppi_qemu.c
+++ b/usr.sbin/bhyve/tpm_ppi_qemu.c
@@ -26,7 +26,7 @@
#include "tpm_ppi.h"
#define TPM_PPI_ADDRESS 0xFED45000
-#define TPM_PPI_SIZE 0x1000
+#define TPM_PPI_SIZE 0x400
#define TPM_PPI_FWCFG_FILE "etc/tpm/config"
@@ -101,7 +101,7 @@ tpm_ppi_init(void **sc)
struct tpm_ppi_fwcfg *fwcfg = NULL;
int error;
- ppi = calloc(1, sizeof(*ppi));
+ ppi = calloc(1, TPM_PPI_SIZE);
if (ppi == NULL) {
warnx("%s: failed to allocate acpi region for ppi", __func__);
error = ENOMEM;