From nobody Tue Oct 15 20:55:00 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XSmZD4YsPz5YyyJ; Tue, 15 Oct 2024 20:55:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XSmZD3rPpz51Jm; Tue, 15 Oct 2024 20:55:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1729025700; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aKwEwKt6eKnxsE8B+C8LXnXayL0oQoz8iqny3PSVxLU=; b=r+EoAu3q95cAAZrodflfWhkx2pcwuU0SGvvl2AGpCb5Xgp67GWy9LXLxaV18gepadF2MU/ ivAzyamAZUPL4tnvkRjggcwn87jP0gae1/mxKnL2QGpNMpBpHBSPsXSvUDnm3vBIOaa9yW GoJgrWYR/ksoE+H8RobdeuGYrC58UIBrIk4KAf8i1Ebn/RE/ij37X7l2jnFSGQWEVuCkE4 V3EfVd9xMriaQTLjJh89fqetqglLsqwMWRTLgQd77S9GWU/GX2x37UNju7BNq8XWbDQrbW gBBA3SFcUT3uxv4Az8yB/GttgVb8e7CING7ed3SoyjCMk4Fk4tuWb8do7olNJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1729025700; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aKwEwKt6eKnxsE8B+C8LXnXayL0oQoz8iqny3PSVxLU=; b=HpAjCanwFzNSdV3c3ABoSzvuY000JHjsrAPjxebNIfqDhNubD8J66QcaKyGiF7Ycdf75YE AyvHCjItnM2hl+00+OAxGueZNjz4b2QNRmQ+8bFktsXUauGIjVLESVewuW/iBM7MPN3eYi NPM1pU6VvdZD6oFI7Jxin2UZvk2TztumM8kJuxnwJXSGMxVV9XBiH12tNREtSUHYiDx2/C VcdLFi1rH/3ogqR0Hdm2pul+7phcs24WvQhCWxnsPX+B21hF/vhzpmkIoqzS/xNBTNmqnK 2/A0itGGVQW+lM9SEkBoHvOp61RuN8+/mvQMvCV6nz4iKq9DU8UcvwVWG7XHYA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1729025700; a=rsa-sha256; cv=none; b=oazdjXViqVBZgC4/p5CUJpVvGW4xuT/PEtGXrgQNGvDQcaFtsrAjyEX+/OzLRHsd+f05It e4BZsOvX7lAb1fGO0bUlTyE+PJFl2T6v9VUESxf0WXYiHf8gWJR4SPLKOB7oVf46MTmNGr zVWc5WbPfh22judAhcXZySVMw/XI1kJx5AkugTYNjWG7J4t1Rsn96GU0G75h+LbYUKiGMO vz2k7vn5A8iWJTumlLecvnwah/7qgJLn5WUkDJ9eN+MNCQiqUq2cWSqdNufAYBYqBTwfh8 dWvYCDUVba2fQ8m1M0B7vMeEXZLXSJIjO9ReiywQIl/DMdaVAFxs5n+Tga5B6A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XSmZD3KXyzdVF; Tue, 15 Oct 2024 20:55:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 49FKt0iH086058; Tue, 15 Oct 2024 20:55:00 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 49FKt0gI086055; Tue, 15 Oct 2024 20:55:00 GMT (envelope-from git) Date: Tue, 15 Oct 2024 20:55:00 GMT Message-Id: <202410152055.49FKt0gI086055@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: b34a4edefb0a - main - bhyve: avoid buffer overflow in pci_vtcon_control_send List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b34a4edefb0a40ced9b17ffd640f52fe55edc1f5 Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=b34a4edefb0a40ced9b17ffd640f52fe55edc1f5 commit b34a4edefb0a40ced9b17ffd640f52fe55edc1f5 Author: Pierre Pronchery AuthorDate: 2024-10-02 21:44:37 +0000 Commit: Ed Maste CommitDate: 2024-10-15 20:54:19 +0000 bhyve: avoid buffer overflow in pci_vtcon_control_send This is a follow-up to the fix for HYP-19, addressing another condition where an overflow might still occur. (Spotted by jhb@, thanks!) Reported by: Synacktiv Reviewed by: markj Security: HYP-19 Sponsored by: Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46882 --- usr.sbin/bhyve/pci_virtio_console.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bhyve/pci_virtio_console.c b/usr.sbin/bhyve/pci_virtio_console.c index 4b957322b395..2950c2276942 100644 --- a/usr.sbin/bhyve/pci_virtio_console.c +++ b/usr.sbin/bhyve/pci_virtio_console.c @@ -572,6 +572,9 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc, struct iovec iov; int n; + if (len > SIZE_T_MAX - sizeof(struct pci_vtcon_control)) + return; + vq = pci_vtcon_port_to_vq(&sc->vsc_control_port, true); if (!vq_has_descs(vq)) @@ -580,11 +583,11 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc, n = vq_getchain(vq, &iov, 1, &req); assert(n == 1); - if (iov.iov_len < sizeof(struct pci_vtcon_control)) + if (iov.iov_len < sizeof(struct pci_vtcon_control) + len) goto out; memcpy(iov.iov_base, ctrl, sizeof(struct pci_vtcon_control)); - if (payload != NULL && len > 0) + if (len > 0) memcpy((uint8_t *)iov.iov_base + sizeof(struct pci_vtcon_control), payload, len);