Fix insufficient bounds checking in bhyve(8) device model. [SA-18:14.bhyve]

Submitted by: jhb Reported by: Reno Robert Approved by: so Security: FreeBSD-SA-18:14.bhyve Security: CVE-2018-17160
2026-05-28 04:12:45 -04:00 · 2018-12-04 18:38:32 +00:00 · 2018-12-04 18:38:32 +00:00 · 5d1a9cafe0
commit 5d1a9cafe0
parent 371dc08bfd
3 changed files with 21 additions and 15 deletions
--- a/5
+++ b/5
@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to
 the tip of head, and then rebuild without this option. The bootstrap process
 from older version of current across the gcc/clang cutover is a bit fragile.

+20181204	p6	FreeBSD-SA-18:14.bhyve
+
+	Fix insufficient bounds checking in bhyve(8) device model.
+	[SA-18:14.bhyve]
+
 20181127	p5	FreeBSD-SA-18:13.nfs
 			FreeBSD-EN-18:13.icmp
 			FreeBSD-EN-18:14.tzdata
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@ -44,7 +44,7 @@

 TYPE="FreeBSD"
 REVISION="11.2"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
--- a/usr.sbin/bhyve/fwctl.c
+++ b/usr.sbin/bhyve/fwctl.c
@ -77,8 +77,8 @@ static u_int ident_idx;

 struct op_info {
 	int op;
-	int  (*op_start)(int len);
-	void (*op_data)(uint32_t data, int len);
+	int  (*op_start)(uint32_t len);
+	void (*op_data)(uint32_t data, uint32_t len);
 	int  (*op_result)(struct iovec **data);
 	void (*op_done)(struct iovec *data);
 };
@ -117,7 +117,7 @@ errop_set(int err)
 }

 static int
-errop_start(int len)
+errop_start(uint32_t len)
 {
 	errop_code = ENOENT;

@ -126,7 +126,7 @@ errop_start(int len)
 }

 static void
-errop_data(uint32_t data, int len)
+errop_data(uint32_t data, uint32_t len)
 {

 	/* ignore */
@ -186,7 +186,7 @@ static int fget_cnt;
 static size_t fget_size;

 static int
-fget_start(int len)
+fget_start(uint32_t len)
 {

 	if (len > FGET_STRSZ)
@ -198,7 +198,7 @@ fget_start(int len)
 }

 static void
-fget_data(uint32_t data, int len)
+fget_data(uint32_t data, uint32_t len)
 {

 	*((uint32_t *) &fget_str[fget_cnt]) = data;
@ -283,8 +283,8 @@ static struct req_info {
 	struct op_info *req_op;
 	int	 resp_error;
 	int	 resp_count;
-	int	 resp_size;
-	int	 resp_off;
+	size_t	 resp_size;
+	size_t	 resp_off;
 	struct iovec *resp_biov;
 } rinfo;

@ -344,13 +344,14 @@ fwctl_request_start(void)
 static int
 fwctl_request_data(uint32_t value)
 {
-	int remlen;

 	/* Make sure remaining size is >= 0 */
-	rinfo.req_size -= sizeof(uint32_t);
-	remlen = MAX(rinfo.req_size, 0);
+	if (rinfo.req_size <= sizeof(uint32_t))
+		rinfo.req_size = 0;
+	else
+		rinfo.req_size -= sizeof(uint32_t);

-	(*rinfo.req_op->op_data)(value, remlen);
+	(*rinfo.req_op->op_data)(value, rinfo.req_size);

 	if (rinfo.req_size < sizeof(uint32_t)) {
 		fwctl_request_done();
@ -399,7 +400,7 @@ static int
 fwctl_response(uint32_t *retval)
 {
 	uint32_t *dp;
-	int remlen;
+	ssize_t remlen;

 	switch(rinfo.resp_count) {
 	case 0:
@ -434,7 +435,7 @@ fwctl_response(uint32_t *retval)
 	}

 	if (rinfo.resp_count > 3 &&
-	    rinfo.resp_size - rinfo.resp_off <= 0) {
+	    rinfo.resp_off >= rinfo.resp_size) {
 		fwctl_response_done();
 		return (1);
 	}