bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler

The function tpm_ppi_mem_handler is vulnerable to buffer over-read and over-write, the MMIO handler serves the heap allocated structure tpm_ppi_qemu. The issue is that the structure size is smaller than 0x1000 and the handler does not validate the offset and size (sizeof is 0x15A while the handler allows up to 0x1000 bytes) Reported by: Synacktiv Reviewed by: corvink Security: FreeBSD-SA-24:10.bhyve Security: CVE-2024-41928 Security: HYP-01 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45980
2024-11-26 20:12:44 +00:00 · 2024-09-04 14:38:11 +00:00 · 2024-09-04 14:38:11 +00:00 · a06fc21e77
commit a06fc21e77
parent 01f43479b5
1 changed files with 2 additions and 2 deletions
--- a/usr.sbin/bhyve/tpm_ppi_qemu.c
+++ b/usr.sbin/bhyve/tpm_ppi_qemu.c
@ -25,7 +25,7 @@
 #include "tpm_ppi.h"

 #define TPM_PPI_ADDRESS 0xFED45000
-#define TPM_PPI_SIZE 0x1000
+#define TPM_PPI_SIZE 0x400

 #define TPM_PPI_FWCFG_FILE "etc/tpm/config"

@ -100,7 +100,7 @@ tpm_ppi_init(void **sc)
 	struct tpm_ppi_fwcfg *fwcfg = NULL;
 	int error;

-	ppi = calloc(1, sizeof(*ppi));
+	ppi = calloc(1, TPM_PPI_SIZE);
 	if (ppi == NULL) {
 		warnx("%s: failed to allocate acpi region for ppi", __func__);
 		error = ENOMEM;