freebsd-nq/usr.sbin/bhyve
John Baldwin ed9ffd2f09 Validate guest-supplied length of headers for TSO transmit requests.
When transmitting a large TCP packet, the final transmit descriptor
includes the length of the protocol headers to be duplicated on each
segment.  The device model was trusting the guest-supplied value
without validating it.  A value of zero would result in the guest
being able to indirect a garbage pointer on the stack to overwrite
arbitrary memory in the bhyve process.  A value that was non-zero but
too small for the requested parameters resulted in the device model
reading and writing values beyond the end of the on-stack buffer used
to hold the template header.

To fix, validate the supplied length and drop requests to transmit
packets that would overflow the header buffer.  While here, initialize
the header pointer to NULL as a preventive measure so that any access
to an unallocated template header crashes they hypervisor
deterministically.

While here, only read the TCP sequence number if the packet being
split is a TCP packet.  The e1000 logic supports a segmentation of UDP
frames, and while UDP segmentation requires this part of the header to
be valid (so there is no buffer overflow), only reading the field when
needed is cleaner.

admbugs:	918
Reported by:	Reno Robert <renorobert@gmail.com>
Reviewed by:	markj
Approved by:	so
Security:	CVE-2019-5609
2019-08-05 21:39:55 +00:00
..
acpi.c Acpi MADT table correction for VM_MAXCPU > 21 2019-04-25 22:52:44 +00:00
acpi.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
ahci.h Fix style(9) space vs tab. 2018-06-14 01:34:53 +00:00
atkbdc.c Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
atkbdc.h Import bhyve_graphics into CURRENT. Thanks to all who tested 2016-07-04 03:19:06 +00:00
audio.c bhyve/audio: don't leak resources on failed initialization. 2019-07-03 17:24:24 +00:00
audio.h Add SPDX tags to bhyve(8) HD Audio device. 2019-06-25 06:24:56 +00:00
bhyve.8 Correct name of vmm(4) pptdevs variable. 2019-07-02 14:53:51 +00:00
bhyvegc.c When this code was introduced at r300829 the author forgot to add 2018-06-13 04:00:21 +00:00
bhyvegc.h Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
bhyverun.c Revert r343634: 2019-02-01 03:09:11 +00:00
bhyverun.h Make bhyve SMBIOS table topology aware 2019-04-25 22:53:55 +00:00
block_if.c Increase the VirtIO segment count to support modern Windows guests. 2019-05-02 22:46:37 +00:00
block_if.h Increase the VirtIO segment count to support modern Windows guests. 2019-05-02 22:46:37 +00:00
bootrom.c Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
bootrom.h Fix style(9) space vs tab. 2018-06-14 01:34:53 +00:00
console.c Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
console.h Fix style(9) space vs tab. 2018-06-14 01:34:53 +00:00
consport.c Use capsicum_helpers(3) that allow us to simplify the code and its functions 2019-01-16 00:39:23 +00:00
dbgport.c Use capsicum_helpers(3) that allow us to simplify the code and its functions 2019-01-16 00:39:23 +00:00
dbgport.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
fwctl.c Always treat firmware request and response sizes as unsigned. 2018-12-04 18:28:25 +00:00
fwctl.h Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
gdb.c Use parse_integer to avoid sign extension. 2019-06-05 23:37:50 +00:00
gdb.h Drop "All rights reserved" from my copyright statements. 2019-03-06 22:11:45 +00:00
hda_codec.c Add SPDX tags to bhyve(8) HD Audio device. 2019-06-25 06:24:56 +00:00
hda_reg.h Add SPDX tags to bhyve(8) HD Audio device. 2019-06-25 06:24:56 +00:00
hdac_reg.h Add SPDX tags to bhyve(8) HD Audio device. 2019-06-25 06:24:56 +00:00
inout.c Fix style(9) space vs tab. 2018-06-14 01:34:53 +00:00
inout.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
ioapic.c various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
ioapic.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
iov.c Fix several iov handling bugs in bhyve virtio-scsi backend. 2018-12-07 20:30:00 +00:00
iov.h Fix several iov handling bugs in bhyve virtio-scsi backend. 2018-12-07 20:30:00 +00:00
Makefile bhyve: abstraction for network backends 2019-07-07 12:15:24 +00:00
Makefile.depend DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
mem.c Add support for writing to guest memory in the debug server. 2019-05-24 00:34:13 +00:00
mem.h Add support for writing to guest memory in the debug server. 2019-05-24 00:34:13 +00:00
mevent_test.c Improve bhyve exit(3) error code. 2018-07-11 03:23:09 +00:00
mevent.c usr.sbin/bhyve: send an initialized value to wake up blocking kqueue 2019-07-11 23:54:50 +00:00
mevent.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
mptbl.c various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
mptbl.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
net_backends.c usr.sbin/bhyve: close backend file descriptor during tap init error 2019-07-12 18:50:46 +00:00
net_backends.h bhyve: add missing license identifiers in net_utils and net_backend 2019-07-09 22:04:33 +00:00
net_utils.c bhyve: add missing license identifiers in net_utils and net_backend 2019-07-09 22:04:33 +00:00
net_utils.h bhyve: add missing license identifiers in net_utils and net_backend 2019-07-09 22:04:33 +00:00
pci_ahci.c Define AHCI_PORT_IDENT and increase by 1 the VTBLK_BLK_ID_BYTES 2018-11-20 22:21:19 +00:00
pci_e82545.c Validate guest-supplied length of headers for TSO transmit requests. 2019-08-05 21:39:55 +00:00
pci_emul.c Remove a spurious break when setting up a 64-bit memory BAR. 2019-06-12 16:49:01 +00:00
pci_emul.h Keep the shadow PCIR_COMMAND synced with the real one for pass through. 2019-06-07 15:53:27 +00:00
pci_fbuf.c usr.sbin/bhyve: commit miss from r349918 2019-07-11 19:51:33 +00:00
pci_hda.c Fix the register layout for the Buffer Descript List Entry. It 2019-07-23 18:40:07 +00:00
pci_hda.h Add SPDX tags to bhyve(8) HD Audio device. 2019-06-25 06:24:56 +00:00
pci_hostbridge.c various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
pci_irq.c Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
pci_irq.h Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
pci_lpc.c Add -s "help" and -l "help" to print a list of supported PCI and LPC devices. 2018-08-22 20:23:08 +00:00
pci_lpc.h Add -s "help" and -l "help" to print a list of supported PCI and LPC devices. 2018-08-22 20:23:08 +00:00
pci_nvme.c bhyve: update the NVMe CQ based on the status 2019-07-17 03:19:30 +00:00
pci_passthru.c usr.sbin/bhyve: only unassign a pt device after obtaining bus/slot/func 2019-07-12 18:33:58 +00:00
pci_uart.c various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
pci_virtio_block.c Increase the VirtIO segment count to support modern Windows guests. 2019-05-02 22:46:37 +00:00
pci_virtio_console.c usr.sbin/bhyve: free resources when erroring out of pci_vtcon_sock_add() 2019-07-12 18:20:56 +00:00
pci_virtio_net.c usr.sbin/bhyve: free resources when erroring out of pci_vtnet_init() 2019-07-12 05:19:37 +00:00
pci_virtio_rnd.c Use capsicum_helpers(3) that allow us to simplify the code and its functions 2019-01-16 00:39:23 +00:00
pci_virtio_scsi.c usr.sbin/bhyve: prevent use-after-free in virtio scsi request handling 2019-07-12 18:17:35 +00:00
pci_xhci.c bhyve: correct out-of-bounds read in XHCI device emulation 2019-07-23 16:27:36 +00:00
pci_xhci.h Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
pm.c various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
post.c various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
ps2kbd.c Remove printf for debug purpose forgotten on r340046. 2018-11-02 13:48:06 +00:00
ps2kbd.h Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
ps2mouse.c Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
ps2mouse.h Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
rfb.c usr.sbin/bhyve: free resources if there is an initialization error in rfb 2019-07-11 19:07:45 +00:00
rfb.h Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
rtc.c Fix style(9) space vs tab. 2018-06-14 01:34:53 +00:00
rtc.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
smbiostbl.c Make bhyve SMBIOS table topology aware 2019-04-25 22:53:55 +00:00
smbiostbl.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
sockstream.c Fix style(9) space vs tab. 2018-06-14 01:34:53 +00:00
sockstream.h Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
spinup_ap.c various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
spinup_ap.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
task_switch.c Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
uart_emul.c usr.sbin/bhyve: don't leak a FD if the device is not a tty 2019-07-12 18:13:58 +00:00
uart_emul.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
usb_emul.c Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
usb_emul.h Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
usb_mouse.c Revert r343634: 2019-02-01 03:09:11 +00:00
vga.c Add SPDX tags to bhyve(8). 2018-06-13 03:22:08 +00:00
vga.h Fix style(9) space vs tab. 2018-06-14 01:34:53 +00:00
virtio.c bhyve: virtio: introduce vq_kick_enable() and vq_kick_disable() 2019-06-11 15:52:41 +00:00
virtio.h bhyve: virtio: introduce vq_kick_enable() and vq_kick_disable() 2019-06-11 15:52:41 +00:00
xmsr.c Emulate the AMD MSR_LS_CFG MSR used for various Ryzen errata. 2019-06-03 23:17:35 +00:00
xmsr.h various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00