upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler

Browse source 
The function tpm_ppi_mem_handler is vulnerable to buffer over-read and
over-write, the MMIO handler serves the heap allocated structure
tpm_ppi_qemu.
The issue is that the structure size is smaller than 0x1000 and the
handler does not validate the offset and size (sizeof is 0x15A while the
handler allows up to 0x1000 bytes)

Reported by:	Synacktiv
Reviewed by:	corvink
Security:	FreeBSD-SA-24:10.bhyve
Security:	CVE-2024-41928
Security:	HYP-01
Sponsored by:	The Alpha-Omega Project
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D45980

(cherry picked from commit a06fc21e770a482c8915411ebc98c870e42dd29b)
(cherry picked from commit 6ce4821f08)

Approved by:	so
This commit is contained in:
Pierre Pronchery 2024-09-04 14:38:11 +00:00 committed by Franco Fichtner
parent 3078dad2f2
commit 81231dc8bb
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
usr.sbin/bhyve/tpm_ppi_qemu.c
View file

@ -26,7 +26,7 @@
#include "tpm_ppi.h"
#define TPM_PPI_ADDRESS 0xFED45000
#define TPM_PPI_SIZE 0x1000
#define TPM_PPI_SIZE 0x400
#define TPM_PPI_FWCFG_FILE "etc/tpm/config"
@ -101,7 +101,7 @@ tpm_ppi_init(void **sc)
struct tpm_ppi_fwcfg *fwcfg = NULL;
int error;
ppi = calloc(1, sizeof(*ppi));
ppi = calloc(1, TPM_PPI_SIZE);
if (ppi == NULL) {
warnx("%s: failed to allocate acpi region for ppi", __func__);
error = ENOMEM;