From 888fdfbae1e6345c054a031e3d996b1f3a19149b Mon Sep 17 00:00:00 2001
From: gordon <gordon@FreeBSD.org>
Date: Tue, 4 Dec 2018 18:38:32 +0000
Subject: Fix insufficient bounds checking in bhyve(8) device model.
 [SA-18:14.bhyve]

Submitted by:   jhb
Reported by:    Reno Robert
Approved by:    so
Security:       FreeBSD-SA-18:14.bhyve
Security:       CVE-2018-17160
---
 UPDATING               |  5 +++++
 sys/conf/newvers.sh    |  2 +-
 usr.sbin/bhyve/fwctl.c | 29 +++++++++++++++--------------
 3 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/UPDATING b/UPDATING
index 1013bd2..ff522ef 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to
 the tip of head, and then rebuild without this option. The bootstrap process
 from older version of current across the gcc/clang cutover is a bit fragile.
 
+20181204	p6	FreeBSD-SA-18:14.bhyve
+
+	Fix insufficient bounds checking in bhyve(8) device model.
+	[SA-18:14.bhyve]
+
 20181127	p5	FreeBSD-SA-18:13.nfs
 			FreeBSD-EN-18:13.icmp
 			FreeBSD-EN-18:14.tzdata
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 7864322..8aa6c26 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -44,7 +44,7 @@
 
 TYPE="FreeBSD"
 REVISION="11.2"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/usr.sbin/bhyve/fwctl.c b/usr.sbin/bhyve/fwctl.c
index 9e90c1a..33d966b 100644
--- a/usr.sbin/bhyve/fwctl.c
+++ b/usr.sbin/bhyve/fwctl.c
@@ -77,8 +77,8 @@ static u_int ident_idx;
 
 struct op_info {
 	int op;
-	int  (*op_start)(int len);
-	void (*op_data)(uint32_t data, int len);
+	int  (*op_start)(uint32_t len);
+	void (*op_data)(uint32_t data, uint32_t len);
 	int  (*op_result)(struct iovec **data);
 	void (*op_done)(struct iovec *data);
 };
@@ -117,7 +117,7 @@ errop_set(int err)
 }
 
 static int
-errop_start(int len)
+errop_start(uint32_t len)
 {
 	errop_code = ENOENT;
 
@@ -126,7 +126,7 @@ errop_start(int len)
 }
 
 static void
-errop_data(uint32_t data, int len)
+errop_data(uint32_t data, uint32_t len)
 {
 
 	/* ignore */
@@ -186,7 +186,7 @@ static int fget_cnt;
 static size_t fget_size;
 
 static int
-fget_start(int len)
+fget_start(uint32_t len)
 {
 
 	if (len > FGET_STRSZ)
@@ -198,7 +198,7 @@ fget_start(int len)
 }
 
 static void
-fget_data(uint32_t data, int len)
+fget_data(uint32_t data, uint32_t len)
 {
 
 	*((uint32_t *) &fget_str[fget_cnt]) = data;
@@ -283,8 +283,8 @@ static struct req_info {
 	struct op_info *req_op;
 	int	 resp_error;
 	int	 resp_count;
-	int	 resp_size;
-	int	 resp_off;
+	size_t	 resp_size;
+	size_t	 resp_off;
 	struct iovec *resp_biov;
 } rinfo;
 
@@ -344,13 +344,14 @@ fwctl_request_start(void)
 static int
 fwctl_request_data(uint32_t value)
 {
-	int remlen;
 
 	/* Make sure remaining size is >= 0 */
-	rinfo.req_size -= sizeof(uint32_t);
-	remlen = MAX(rinfo.req_size, 0);
+	if (rinfo.req_size <= sizeof(uint32_t))
+		rinfo.req_size = 0;
+	else
+		rinfo.req_size -= sizeof(uint32_t);
 
-	(*rinfo.req_op->op_data)(value, remlen);
+	(*rinfo.req_op->op_data)(value, rinfo.req_size);
 
 	if (rinfo.req_size < sizeof(uint32_t)) {
 		fwctl_request_done();
@@ -399,7 +400,7 @@ static int
 fwctl_response(uint32_t *retval)
 {
 	uint32_t *dp;
-	int remlen;
+	ssize_t remlen;
 
 	switch(rinfo.resp_count) {
 	case 0:
@@ -434,7 +435,7 @@ fwctl_response(uint32_t *retval)
 	}
 
 	if (rinfo.resp_count > 3 &&
-	    rinfo.resp_size - rinfo.resp_off <= 0) {
+	    rinfo.resp_off >= rinfo.resp_size) {
 		fwctl_response_done();
 		return (1);
 	}
-- 
cgit v1.1