git: 8934002959e0 - main - bhyve: avoid buffer overflow in pci_vtcon_control_send

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Mon, 30 Sep 2024 12:01:49 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=8934002959e02bcf5e3262730c3a731af95afb15

commit 8934002959e02bcf5e3262730c3a731af95afb15
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-07-24 18:23:12 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-30 12:01:28 +0000

    bhyve: avoid buffer overflow in pci_vtcon_control_send
    
    The program copies an input buffer to an output buffer without verifying
    that the size of the input buffer is less than the size of the output
    buffer, leading to a buffer overflow.
    
    Inside the function pci_vtcon_control_send, the length of the iov buffer
    is not validated before copy of the payload.
    
    Reported by:    Synacktiv
    Reviewed by:    markj
    Security:       HYP-19
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D46105
---
 usr.sbin/bhyve/pci_virtio_console.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/usr.sbin/bhyve/pci_virtio_console.c b/usr.sbin/bhyve/pci_virtio_console.c
index 921cb29032cf..4b957322b395 100644
--- a/usr.sbin/bhyve/pci_virtio_console.c
+++ b/usr.sbin/bhyve/pci_virtio_console.c
@@ -580,11 +580,15 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc,
 	n = vq_getchain(vq, &iov, 1, &req);
 	assert(n == 1);
 
+	if (iov.iov_len < sizeof(struct pci_vtcon_control))
+		goto out;
+
 	memcpy(iov.iov_base, ctrl, sizeof(struct pci_vtcon_control));
 	if (payload != NULL && len > 0)
 		memcpy((uint8_t *)iov.iov_base +
 		    sizeof(struct pci_vtcon_control), payload, len);
 
+out:
 	vq_relchain(vq, req.idx, sizeof(struct pci_vtcon_control) + len);
 	vq_endchains(vq, 1);
 }