git: b34a4edefb0a - main - bhyve: avoid buffer overflow in pci_vtcon_control_send
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 15 Oct 2024 20:55:00 UTC
The branch main has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=b34a4edefb0a40ced9b17ffd640f52fe55edc1f5
commit b34a4edefb0a40ced9b17ffd640f52fe55edc1f5
Author: Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-10-02 21:44:37 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-15 20:54:19 +0000
bhyve: avoid buffer overflow in pci_vtcon_control_send
This is a follow-up to the fix for HYP-19, addressing another condition
where an overflow might still occur. (Spotted by jhb@, thanks!)
Reported by: Synacktiv
Reviewed by: markj
Security: HYP-19
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46882
---
usr.sbin/bhyve/pci_virtio_console.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/usr.sbin/bhyve/pci_virtio_console.c b/usr.sbin/bhyve/pci_virtio_console.c
index 4b957322b395..2950c2276942 100644
--- a/usr.sbin/bhyve/pci_virtio_console.c
+++ b/usr.sbin/bhyve/pci_virtio_console.c
@@ -572,6 +572,9 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc,
struct iovec iov;
int n;
+ if (len > SIZE_T_MAX - sizeof(struct pci_vtcon_control))
+ return;
+
vq = pci_vtcon_port_to_vq(&sc->vsc_control_port, true);
if (!vq_has_descs(vq))
@@ -580,11 +583,11 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc,
n = vq_getchain(vq, &iov, 1, &req);
assert(n == 1);
- if (iov.iov_len < sizeof(struct pci_vtcon_control))
+ if (iov.iov_len < sizeof(struct pci_vtcon_control) + len)
goto out;
memcpy(iov.iov_base, ctrl, sizeof(struct pci_vtcon_control));
- if (payload != NULL && len > 0)
+ if (len > 0)
memcpy((uint8_t *)iov.iov_base +
sizeof(struct pci_vtcon_control), payload, len);