From nobody Wed Sep 04 14:40:02 2024
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzQBV4BpQz5V2B4;
	Wed, 04 Sep 2024 14:40:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4WzQBV2XHVz4F9p;
	Wed,  4 Sep 2024 14:40:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1725460802;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=2FEei6bDjENmGdFsvWXXTZqq+VCWfCJhlEgAqpqKRMQ=;
	b=D4lNQTt6/cRd3hmlp9laMGH9wbOOKCBCljPv45aFaOSK0m69CMbRhQvUIfBhVYPhmLd9i7
	i3ibi057oNQ915druOvQ98Kf7wjICqukqq7qFqnyM11elt3N0mKBKxf27jsBb3Ab8otXaj
	i1iwKLd39s9qaAdTIWCEi9Xz2by8BeDDgBOoslr5Z54JH5X5zWBjd0aa1VWRYnA/q3Jb10
	p1legNf2OnpsVBRlR4fOTDIvCMGkYqpE6/5gKex/Mf2nOAo+30hxbs9T11tBWbWwsCo1dW
	TqOBOvAb1ZbX2x/X1nCMEDChSsbRXLh26nt6QS8TAEWM9cUvTZwlU5AJEEwYmQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725460802; a=rsa-sha256; cv=none;
	b=u+ltG0Vx5P0us5jJuk4skHQuR9wxRAWzuuD9BW1mCztc2dU9MH/X7p9APFVPrJzMKXV0KX
	n+nl6BP1MRdgeE2lNM3x+HvNVGidtsTeYrNhZ7IHdKOhotZpdJpYyYk9uKoRCAHhPqLztU
	s6Ksl+Z8WLuodpIGKkVz75PXD6K3OUIV4sc8mag2A/1izR9PZv2bAq6ip5CxR45cMDyhNN
	uC8HEJObdrb4qgMojqECpFRv5saIoQkA6dMYb+FSoaRLBl2EQXpoZx4RXEgZnFKu4KuXZQ
	FugOghSlqNZzQD+f6tvKICI09lum6L3f4pluPpf5SUHFcrs7LY8kG5Ed1GG4lg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1725460802;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=2FEei6bDjENmGdFsvWXXTZqq+VCWfCJhlEgAqpqKRMQ=;
	b=UmlhHyGj5mGMTVNent64p+kk6KJwonoMlpVUCeVI2rfUz+/Ay4HAnTZHCcujLl0Fr2isOo
	6DBLXhdfnOssZNBu1DClQdwUwqakVq978VpDrlREub3YUrBxXj3eZ4D9pH2NJaXZvMb1+j
	U/90lOZujD1rFJDdOKeTfJP8dRVpVrUSiPCpvb6YEeSFV7x2cOJ62xJSf8NJGV3ynPqogm
	AFmrrof4JIp9DGlgdO1jlH38Spz79enI0SafWZKuelRXZYawfWvtRFq73T75RJ2Ry3hTaU
	lI1EQ4SYRLAQS2pLRZSm5awsjLDWQsAlEiQS/Fu3rCnYeuaVbJXMlcM11BE8jw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WzQBV2852zSj7;
	Wed,  4 Sep 2024 14:40:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 484Ee2mp086212;
	Wed, 4 Sep 2024 14:40:02 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 484Ee2qW086208;
	Wed, 4 Sep 2024 14:40:02 GMT
	(envelope-from git)
Date: Wed, 4 Sep 2024 14:40:02 GMT
Message-Id: <202409041440.484Ee2qW086208@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: a06fc21e770a - main - bhyve: fix Out-Of-Bounds
  read/write heap in tpm_ppi_mem_handler
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: a06fc21e770a482c8915411ebc98c870e42dd29b
Auto-Submitted: auto-generated

The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=a06fc21e770a482c8915411ebc98c870e42dd29b

commit a06fc21e770a482c8915411ebc98c870e42dd29b
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-09-04 14:38:11 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-04 14:38:11 +0000

    bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler
    
    The function tpm_ppi_mem_handler is vulnerable to buffer over-read and
    over-write, the MMIO handler serves the heap allocated structure
    tpm_ppi_qemu.
    The issue is that the structure size is smaller than 0x1000 and the
    handler does not validate the offset and size (sizeof is 0x15A while the
    handler allows up to 0x1000 bytes)
    
    Reported by:    Synacktiv
    Reviewed by:    corvink
    Security:       FreeBSD-SA-24:10.bhyve
    Security:       CVE-2024-41928
    Security:       HYP-01
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D45980
---
 usr.sbin/bhyve/tpm_ppi_qemu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/bhyve/tpm_ppi_qemu.c b/usr.sbin/bhyve/tpm_ppi_qemu.c
index 239d39184589..01b8493e7273 100644
--- a/usr.sbin/bhyve/tpm_ppi_qemu.c
+++ b/usr.sbin/bhyve/tpm_ppi_qemu.c
@@ -25,7 +25,7 @@
 #include "tpm_ppi.h"
 
 #define TPM_PPI_ADDRESS 0xFED45000
-#define TPM_PPI_SIZE 0x1000
+#define TPM_PPI_SIZE 0x400
 
 #define TPM_PPI_FWCFG_FILE "etc/tpm/config"
 
@@ -100,7 +100,7 @@ tpm_ppi_init(void **sc)
 	struct tpm_ppi_fwcfg *fwcfg = NULL;
 	int error;
 
-	ppi = calloc(1, sizeof(*ppi));
+	ppi = calloc(1, TPM_PPI_SIZE);
 	if (ppi == NULL) {
 		warnx("%s: failed to allocate acpi region for ppi", __func__);
 		error = ENOMEM;