CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2021/05/18 08:39:23
Modified files:
usr.sbin/vmd : Tag: OPENBSD_6_9 vioscsi.c virtio.c virtio.h
Log message:
vmd(8): guest virtio drivers can cause stack & buffer overflows
A vmd guest can craft invalid virtio descriptor lengths resulting
in reading and writing beyond stack-allocated buffer lengths providing
an escape vector to the host.
Instead of allowing the guest to dictate read/write lengths, this
commit has vmd just use compile-time lengths based on the source
or destination object sizes. For instances where vmd's virtio
implementation can't use this method, such as reading packets from
the vionet device, cap each read with a pre-computed max chunk size.
Reported by Maxime Villard.
Tested with help from Mischa Peters, OK mlarkin@
from dv@
this is errata/6.9/003_vmd.patch.sig
