mirror of
https://github.com/freebsd/freebsd-src.git
synced 2024-11-27 00:33:30 +00:00
bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler
The function tpm_ppi_mem_handler is vulnerable to buffer over-read and over-write, the MMIO handler serves the heap allocated structure tpm_ppi_qemu. The issue is that the structure size is smaller than 0x1000 and the handler does not validate the offset and size (sizeof is 0x15A while the handler allows up to 0x1000 bytes) Reported by: Synacktiv Reviewed by: corvink Security: FreeBSD-SA-24:10.bhyve Security: CVE-2024-41928 Security: HYP-01 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45980
This commit is contained in:
parent
01f43479b5
commit
a06fc21e77
@ -25,7 +25,7 @@
|
||||
#include "tpm_ppi.h"
|
||||
|
||||
#define TPM_PPI_ADDRESS 0xFED45000
|
||||
#define TPM_PPI_SIZE 0x1000
|
||||
#define TPM_PPI_SIZE 0x400
|
||||
|
||||
#define TPM_PPI_FWCFG_FILE "etc/tpm/config"
|
||||
|
||||
@ -100,7 +100,7 @@ tpm_ppi_init(void **sc)
|
||||
struct tpm_ppi_fwcfg *fwcfg = NULL;
|
||||
int error;
|
||||
|
||||
ppi = calloc(1, sizeof(*ppi));
|
||||
ppi = calloc(1, TPM_PPI_SIZE);
|
||||
if (ppi == NULL) {
|
||||
warnx("%s: failed to allocate acpi region for ppi", __func__);
|
||||
error = ENOMEM;
|
||||
|
Loading…
Reference in New Issue
Block a user