bhyve: avoid buffer overflow in pci_vtcon_control_send

The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Inside the function pci_vtcon_control_send, the length of the iov buffer is not validated before copy of the payload. Reported by: Synacktiv Reviewed by: markj Security: HYP-19 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46105
jlduran · Sep 30, 2024 · 8934002 · 8934002
1 parent 8e3d252
commit 8934002
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/usr.sbin/bhyve/pci_virtio_console.c b/usr.sbin/bhyve/pci_virtio_console.c
@@ -580,11 +580,15 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc,
 	n = vq_getchain(vq, &iov, 1, &req);
 	assert(n == 1);
 
+	if (iov.iov_len < sizeof(struct pci_vtcon_control))
+		goto out;
+
 	memcpy(iov.iov_base, ctrl, sizeof(struct pci_vtcon_control));
 	if (payload != NULL && len > 0)
 		memcpy((uint8_t *)iov.iov_base +
 		    sizeof(struct pci_vtcon_control), payload, len);
 
+out:
 	vq_relchain(vq, req.idx, sizeof(struct pci_vtcon_control) + len);
 	vq_endchains(vq, 1);
 }