freebsd-skq/usr.sbin/bhyve
jhb 242d0be1ff Validate guest-supplied length of headers for TSO transmit requests.
When transmitting a large TCP packet, the final transmit descriptor
includes the length of the protocol headers to be duplicated on each
segment.  The device model was trusting the guest-supplied value
without validating it.  A value of zero would result in the guest
being able to indirect a garbage pointer on the stack to overwrite
arbitrary memory in the bhyve process.  A value that was non-zero but
too small for the requested parameters resulted in the device model
reading and writing values beyond the end of the on-stack buffer used
to hold the template header.

To fix, validate the supplied length and drop requests to transmit
packets that would overflow the header buffer.  While here, initialize
the header pointer to NULL as a preventive measure so that any access
to an unallocated template header crashes they hypervisor
deterministically.

While here, only read the TCP sequence number if the packet being
split is a TCP packet.  The e1000 logic supports a segmentation of UDP
frames, and while UDP segmentation requires this part of the header to
be valid (so there is no buffer overflow), only reading the field when
needed is cleaner.

admbugs:	918
Reported by:	Reno Robert <renorobert@gmail.com>
Reviewed by:	markj
Approved by:	so
Security:	CVE-2019-5609
2019-08-05 21:39:55 +00:00
..
acpi.c Acpi MADT table correction for VM_MAXCPU > 21 2019-04-25 22:52:44 +00:00
acpi.h
ahci.h
atkbdc.c
atkbdc.h
audio.c bhyve/audio: don't leak resources on failed initialization. 2019-07-03 17:24:24 +00:00
audio.h Add SPDX tags to bhyve(8) HD Audio device. 2019-06-25 06:24:56 +00:00
bhyve.8 Correct name of vmm(4) pptdevs variable. 2019-07-02 14:53:51 +00:00
bhyvegc.c
bhyvegc.h
bhyverun.c Revert r343634: 2019-02-01 03:09:11 +00:00
bhyverun.h Make bhyve SMBIOS table topology aware 2019-04-25 22:53:55 +00:00
block_if.c Increase the VirtIO segment count to support modern Windows guests. 2019-05-02 22:46:37 +00:00
block_if.h Increase the VirtIO segment count to support modern Windows guests. 2019-05-02 22:46:37 +00:00
bootrom.c
bootrom.h
console.c
console.h
consport.c Use capsicum_helpers(3) that allow us to simplify the code and its functions 2019-01-16 00:39:23 +00:00
dbgport.c Use capsicum_helpers(3) that allow us to simplify the code and its functions 2019-01-16 00:39:23 +00:00
dbgport.h
fwctl.c Always treat firmware request and response sizes as unsigned. 2018-12-04 18:28:25 +00:00
fwctl.h
gdb.c Use parse_integer to avoid sign extension. 2019-06-05 23:37:50 +00:00
gdb.h Drop "All rights reserved" from my copyright statements. 2019-03-06 22:11:45 +00:00
hda_codec.c Add SPDX tags to bhyve(8) HD Audio device. 2019-06-25 06:24:56 +00:00
hda_reg.h Add SPDX tags to bhyve(8) HD Audio device. 2019-06-25 06:24:56 +00:00
hdac_reg.h Add SPDX tags to bhyve(8) HD Audio device. 2019-06-25 06:24:56 +00:00
inout.c
inout.h
ioapic.c
ioapic.h
iov.c Fix several iov handling bugs in bhyve virtio-scsi backend. 2018-12-07 20:30:00 +00:00
iov.h Fix several iov handling bugs in bhyve virtio-scsi backend. 2018-12-07 20:30:00 +00:00
Makefile bhyve: abstraction for network backends 2019-07-07 12:15:24 +00:00
Makefile.depend
mem.c Add support for writing to guest memory in the debug server. 2019-05-24 00:34:13 +00:00
mem.h Add support for writing to guest memory in the debug server. 2019-05-24 00:34:13 +00:00
mevent_test.c
mevent.c usr.sbin/bhyve: send an initialized value to wake up blocking kqueue 2019-07-11 23:54:50 +00:00
mevent.h
mptbl.c
mptbl.h
net_backends.c usr.sbin/bhyve: close backend file descriptor during tap init error 2019-07-12 18:50:46 +00:00
net_backends.h bhyve: add missing license identifiers in net_utils and net_backend 2019-07-09 22:04:33 +00:00
net_utils.c bhyve: add missing license identifiers in net_utils and net_backend 2019-07-09 22:04:33 +00:00
net_utils.h bhyve: add missing license identifiers in net_utils and net_backend 2019-07-09 22:04:33 +00:00
pci_ahci.c Define AHCI_PORT_IDENT and increase by 1 the VTBLK_BLK_ID_BYTES 2018-11-20 22:21:19 +00:00
pci_e82545.c Validate guest-supplied length of headers for TSO transmit requests. 2019-08-05 21:39:55 +00:00
pci_emul.c Remove a spurious break when setting up a 64-bit memory BAR. 2019-06-12 16:49:01 +00:00
pci_emul.h Keep the shadow PCIR_COMMAND synced with the real one for pass through. 2019-06-07 15:53:27 +00:00
pci_fbuf.c usr.sbin/bhyve: commit miss from r349918 2019-07-11 19:51:33 +00:00
pci_hda.c Fix the register layout for the Buffer Descript List Entry. It 2019-07-23 18:40:07 +00:00
pci_hda.h Add SPDX tags to bhyve(8) HD Audio device. 2019-06-25 06:24:56 +00:00
pci_hostbridge.c
pci_irq.c
pci_irq.h
pci_lpc.c Add -s "help" and -l "help" to print a list of supported PCI and LPC devices. 2018-08-22 20:23:08 +00:00
pci_lpc.h Add -s "help" and -l "help" to print a list of supported PCI and LPC devices. 2018-08-22 20:23:08 +00:00
pci_nvme.c bhyve: update the NVMe CQ based on the status 2019-07-17 03:19:30 +00:00
pci_passthru.c usr.sbin/bhyve: only unassign a pt device after obtaining bus/slot/func 2019-07-12 18:33:58 +00:00
pci_uart.c
pci_virtio_block.c Increase the VirtIO segment count to support modern Windows guests. 2019-05-02 22:46:37 +00:00
pci_virtio_console.c usr.sbin/bhyve: free resources when erroring out of pci_vtcon_sock_add() 2019-07-12 18:20:56 +00:00
pci_virtio_net.c usr.sbin/bhyve: free resources when erroring out of pci_vtnet_init() 2019-07-12 05:19:37 +00:00
pci_virtio_rnd.c Use capsicum_helpers(3) that allow us to simplify the code and its functions 2019-01-16 00:39:23 +00:00
pci_virtio_scsi.c usr.sbin/bhyve: prevent use-after-free in virtio scsi request handling 2019-07-12 18:17:35 +00:00
pci_xhci.c bhyve: correct out-of-bounds read in XHCI device emulation 2019-07-23 16:27:36 +00:00
pci_xhci.h
pm.c
post.c
ps2kbd.c Remove printf for debug purpose forgotten on r340046. 2018-11-02 13:48:06 +00:00
ps2kbd.h
ps2mouse.c
ps2mouse.h
rfb.c usr.sbin/bhyve: free resources if there is an initialization error in rfb 2019-07-11 19:07:45 +00:00
rfb.h
rtc.c
rtc.h
smbiostbl.c Make bhyve SMBIOS table topology aware 2019-04-25 22:53:55 +00:00
smbiostbl.h
sockstream.c
sockstream.h
spinup_ap.c
spinup_ap.h
task_switch.c
uart_emul.c usr.sbin/bhyve: don't leak a FD if the device is not a tty 2019-07-12 18:13:58 +00:00
uart_emul.h
usb_emul.c
usb_emul.h
usb_mouse.c Revert r343634: 2019-02-01 03:09:11 +00:00
vga.c
vga.h
virtio.c bhyve: virtio: introduce vq_kick_enable() and vq_kick_disable() 2019-06-11 15:52:41 +00:00
virtio.h bhyve: virtio: introduce vq_kick_enable() and vq_kick_disable() 2019-06-11 15:52:41 +00:00
xmsr.c Emulate the AMD MSR_LS_CFG MSR used for various Ryzen errata. 2019-06-03 23:17:35 +00:00
xmsr.h