[Bug 264521] bhyve: pci_vtscsi_request_handle() can read beyond allocated heap object
Date: Fri, 11 Nov 2022 01:25:29 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264521 --- Comment #5 from commit-hook@FreeBSD.org --- A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b37b564ecf0a2e079acbd1866337a5c6ed739d73 commit b37b564ecf0a2e079acbd1866337a5c6ed739d73 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-08-29 22:36:11 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-11-11 01:10:18 +0000 bhyve virtio-scsi: Avoid out of bounds accesses to guest requests. - Ignore I/O requests with insufficiently sized input or output buffers (those not containing compete request headers). - Ignore control requests with improperly sized buffers. - While here, explicitly zero the output header of an I/O request to avoid leaking malloc garbage from the host if the header is not fully populated. PR: 264521 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: mav, emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36271 (cherry picked from commit bb31aee26bd13307d97c5d5bf2b10bf05bdc18fd) usr.sbin/bhyve/pci_virtio_scsi.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) -- You are receiving this mail because: You are on the CC list for the bug.