From 81231dc8bb1965ed55f8aff34bb73162ce9c0b67 Mon Sep 17 00:00:00 2001 From: Pierre Pronchery Date: Wed, 4 Sep 2024 14:38:11 +0000 Subject: [PATCH] bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler The function tpm_ppi_mem_handler is vulnerable to buffer over-read and over-write, the MMIO handler serves the heap allocated structure tpm_ppi_qemu. The issue is that the structure size is smaller than 0x1000 and the handler does not validate the offset and size (sizeof is 0x15A while the handler allows up to 0x1000 bytes) Reported by: Synacktiv Reviewed by: corvink Security: FreeBSD-SA-24:10.bhyve Security: CVE-2024-41928 Security: HYP-01 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45980 (cherry picked from commit a06fc21e770a482c8915411ebc98c870e42dd29b) (cherry picked from commit 6ce4821f0859eb00e1754917e1471184755b6358) Approved by: so --- usr.sbin/bhyve/tpm_ppi_qemu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bhyve/tpm_ppi_qemu.c b/usr.sbin/bhyve/tpm_ppi_qemu.c index 8bea45ea320..11a30607710 100644 --- a/usr.sbin/bhyve/tpm_ppi_qemu.c +++ b/usr.sbin/bhyve/tpm_ppi_qemu.c @@ -26,7 +26,7 @@ #include "tpm_ppi.h" #define TPM_PPI_ADDRESS 0xFED45000 -#define TPM_PPI_SIZE 0x1000 +#define TPM_PPI_SIZE 0x400 #define TPM_PPI_FWCFG_FILE "etc/tpm/config" @@ -101,7 +101,7 @@ tpm_ppi_init(void **sc) struct tpm_ppi_fwcfg *fwcfg = NULL; int error; - ppi = calloc(1, sizeof(*ppi)); + ppi = calloc(1, TPM_PPI_SIZE); if (ppi == NULL) { warnx("%s: failed to allocate acpi region for ppi", __func__); error = ENOMEM;