[Bug 264521] bhyve: pci_vtscsi_request_handle() can read beyond allocated heap object

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 264521] bhyve's pci_vtscsi_request_handle() can read beyond allocated heap object"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 29 Aug 2022 22:38:26 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264521

--- Comment #4 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd

commit bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-08-29 22:36:11 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-08-29 22:37:27 +0000

    bhyve virtio-scsi: Avoid out of bounds accesses to guest requests.

    - Ignore I/O requests with insufficiently sized input or output
      buffers (those not containing compete request headers).

    - Ignore control requests with improperly sized buffers.

    - While here, explicitly zero the output header of an I/O request to
      avoid leaking malloc garbage from the host if the header is not
      fully populated.

    PR:             264521
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    mav, emaste
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D36271

 usr.sbin/bhyve/pci_virtio_scsi.c | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.