https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264521
Bug ID: 264521
Summary: bhyve's pci_vtscsi_request_handle() can read beyond
allocated heap object
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bhyve
Assignee: virtualization@FreeBSD.org
Reporter: r...@lcs.mit.edu
Bhyve's pci_vtscsi_request_handle() says:
iov_to_buf(iov_in, niov_in, (void **)&cmd_rd);
...;
io->io_hdr.nexus.targ_lun = pci_vtscsi_get_lun(cmd_rd->lun);
// and further uses of cmd_rd
If the guest driver provided no readable virtio descriptors, then
niov_in will be zero, and iov_to_buf() will cause cmd_rd to point to a
zero-length heap object. If there is a readable descriptor, but it's
smaller than sizeof(cmd_rd), there's also a problem.
--
You are receiving this mail because:
You are the assignee for the bug.
