git: 8934002959e0 - main - bhyve: avoid buffer overflow in pci_vtcon_control_send
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 30 Sep 2024 12:01:49 UTC
The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=8934002959e02bcf5e3262730c3a731af95afb15 commit 8934002959e02bcf5e3262730c3a731af95afb15 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2024-07-24 18:23:12 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-09-30 12:01:28 +0000 bhyve: avoid buffer overflow in pci_vtcon_control_send The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Inside the function pci_vtcon_control_send, the length of the iov buffer is not validated before copy of the payload. Reported by: Synacktiv Reviewed by: markj Security: HYP-19 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46105 --- usr.sbin/bhyve/pci_virtio_console.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr.sbin/bhyve/pci_virtio_console.c b/usr.sbin/bhyve/pci_virtio_console.c index 921cb29032cf..4b957322b395 100644 --- a/usr.sbin/bhyve/pci_virtio_console.c +++ b/usr.sbin/bhyve/pci_virtio_console.c @@ -580,11 +580,15 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc, n = vq_getchain(vq, &iov, 1, &req); assert(n == 1); + if (iov.iov_len < sizeof(struct pci_vtcon_control)) + goto out; + memcpy(iov.iov_base, ctrl, sizeof(struct pci_vtcon_control)); if (payload != NULL && len > 0) memcpy((uint8_t *)iov.iov_base + sizeof(struct pci_vtcon_control), payload, len); +out: vq_relchain(vq, req.idx, sizeof(struct pci_vtcon_control) + len); vq_endchains(vq, 1); }