Searched hist:"0759 b25c" (Results 1 – 2 of 2) sorted by relevance
| /openbsd/usr.sbin/vmd/ |
| H A D | vioscsi.c | diff 0759b25c Tue May 18 11:06:43 GMT 2021 dv <dv@openbsd.org> vmd(8): guest virtio drivers can cause stack & buffer overflows
A vmd guest can craft invalid virtio descriptor lengths resulting
in reading and writing beyond stack-allocated buffer lengths providing
an escape vector to the host.
Instead of allowing the guest to dictate read/write lengths, this
commit has vmd just use compile-time lengths based on the source
or destination object sizes. For instances where vmd's virtio
implementation can't use this method, such as reading packets from
the vionet device, cap each read with a pre-computed max chunk size.
Reported by Maxime Villard.
Tested with help from Mischa Peters, OK mlarkin@
|
| H A D | virtio.c | diff 0759b25c Tue May 18 11:06:43 GMT 2021 dv <dv@openbsd.org> vmd(8): guest virtio drivers can cause stack & buffer overflows
A vmd guest can craft invalid virtio descriptor lengths resulting
in reading and writing beyond stack-allocated buffer lengths providing
an escape vector to the host.
Instead of allowing the guest to dictate read/write lengths, this
commit has vmd just use compile-time lengths based on the source
or destination object sizes. For instances where vmd's virtio
implementation can't use this method, such as reading packets from
the vionet device, cap each read with a pre-computed max chunk size.
Reported by Maxime Villard.
Tested with help from Mischa Peters, OK mlarkin@
|