summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorgordon <gordon@FreeBSD.org>2018-12-04 18:38:32 +0000
committergordon <gordon@FreeBSD.org>2018-12-04 18:38:32 +0000
commit888fdfbae1e6345c054a031e3d996b1f3a19149b (patch)
tree7f6d3dd1f58618a779ebfc869f1993bd24116651
parent6328944fa5266b9ec6b06cefcc56492e093bd1f6 (diff)
downloadFreeBSD-src-888fdfbae1e6345c054a031e3d996b1f3a19149b.zip
FreeBSD-src-888fdfbae1e6345c054a031e3d996b1f3a19149b.tar.gz
Fix insufficient bounds checking in bhyve(8) device model. [SA-18:14.bhyve]
Submitted by: jhb Reported by: Reno Robert Approved by: so Security: FreeBSD-SA-18:14.bhyve Security: CVE-2018-17160
-rw-r--r--UPDATING5
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--usr.sbin/bhyve/fwctl.c29
3 files changed, 21 insertions, 15 deletions
diff --git a/UPDATING b/UPDATING
index 1013bd2..ff522ef 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to
the tip of head, and then rebuild without this option. The bootstrap process
from older version of current across the gcc/clang cutover is a bit fragile.
+20181204 p6 FreeBSD-SA-18:14.bhyve
+
+ Fix insufficient bounds checking in bhyve(8) device model.
+ [SA-18:14.bhyve]
+
20181127 p5 FreeBSD-SA-18:13.nfs
FreeBSD-EN-18:13.icmp
FreeBSD-EN-18:14.tzdata
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 7864322..8aa6c26 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -44,7 +44,7 @@
TYPE="FreeBSD"
REVISION="11.2"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
if [ -n "${BRANCH_OVERRIDE}" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/usr.sbin/bhyve/fwctl.c b/usr.sbin/bhyve/fwctl.c
index 9e90c1a..33d966b 100644
--- a/usr.sbin/bhyve/fwctl.c
+++ b/usr.sbin/bhyve/fwctl.c
@@ -77,8 +77,8 @@ static u_int ident_idx;
struct op_info {
int op;
- int (*op_start)(int len);
- void (*op_data)(uint32_t data, int len);
+ int (*op_start)(uint32_t len);
+ void (*op_data)(uint32_t data, uint32_t len);
int (*op_result)(struct iovec **data);
void (*op_done)(struct iovec *data);
};
@@ -117,7 +117,7 @@ errop_set(int err)
}
static int
-errop_start(int len)
+errop_start(uint32_t len)
{
errop_code = ENOENT;
@@ -126,7 +126,7 @@ errop_start(int len)
}
static void
-errop_data(uint32_t data, int len)
+errop_data(uint32_t data, uint32_t len)
{
/* ignore */
@@ -186,7 +186,7 @@ static int fget_cnt;
static size_t fget_size;
static int
-fget_start(int len)
+fget_start(uint32_t len)
{
if (len > FGET_STRSZ)
@@ -198,7 +198,7 @@ fget_start(int len)
}
static void
-fget_data(uint32_t data, int len)
+fget_data(uint32_t data, uint32_t len)
{
*((uint32_t *) &fget_str[fget_cnt]) = data;
@@ -283,8 +283,8 @@ static struct req_info {
struct op_info *req_op;
int resp_error;
int resp_count;
- int resp_size;
- int resp_off;
+ size_t resp_size;
+ size_t resp_off;
struct iovec *resp_biov;
} rinfo;
@@ -344,13 +344,14 @@ fwctl_request_start(void)
static int
fwctl_request_data(uint32_t value)
{
- int remlen;
/* Make sure remaining size is >= 0 */
- rinfo.req_size -= sizeof(uint32_t);
- remlen = MAX(rinfo.req_size, 0);
+ if (rinfo.req_size <= sizeof(uint32_t))
+ rinfo.req_size = 0;
+ else
+ rinfo.req_size -= sizeof(uint32_t);
- (*rinfo.req_op->op_data)(value, remlen);
+ (*rinfo.req_op->op_data)(value, rinfo.req_size);
if (rinfo.req_size < sizeof(uint32_t)) {
fwctl_request_done();
@@ -399,7 +400,7 @@ static int
fwctl_response(uint32_t *retval)
{
uint32_t *dp;
- int remlen;
+ ssize_t remlen;
switch(rinfo.resp_count) {
case 0:
@@ -434,7 +435,7 @@ fwctl_response(uint32_t *retval)
}
if (rinfo.resp_count > 3 &&
- rinfo.resp_size - rinfo.resp_off <= 0) {
+ rinfo.resp_off >= rinfo.resp_size) {
fwctl_response_done();
return (1);
}
OpenPOWER on IntegriCloud