Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bhyve/nvme: Fix out-of-bounds read in NVMe log page
The function nvme_opc_get_log_page in the file usr.sbin/bhyve/pci_nvme.c is vulnerable to buffer over-read. The value logoff is user controlled but never checked against the value of logsize. Thus the difference: logsize - logoff can underflow. Due to the sc structure layout, an attacker can dump internals fields of sc and the content of next heap allocation. Reported by: Synacktiv Reviewed by: emaste, jhb Security: HYP-07 Sponsored by: Alpha-Omega Project, The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46021 (cherry picked from commit b0a24be) (cherry picked from commit a5be19e)
- Loading branch information