CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/06/01 09:23:54
Modified files:
usr.sbin/vmd : Tag: OPENBSD_7_9 config.c vioblk.c vioscsi.c
virtio.c
Log message:
A privileged guest can make the host-side `vioblk` backend read a descriptor
outside the configured virtqueue descriptor table and interpret the out-of-table
entry as a block request descriptor. In the confirmed run, the guest-controlled
out-of-table descriptor made `vmd(8)` read and log a guest-chosen block command
value, and the device entered `DEVICE_NEEDS_RESET`.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
A privileged guest can notify one invalid virtio-block queue index and
terminate the host-side `vioblk` device process. In the confirmed run, this
also caused the VM event thread to exit unexpectedly.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
Do not call `fatalx()` on malformed guest-provided descriptor lengths. Reject
the request and return without terminating the VM process.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
A privileged guest can notify an invalid virtio-scsi queue index. The
host-side `vioscsi` device process uses the guest-controlled value as an array
index without a bounds check, interprets adjacent process memory as virtqueue
metadata, and terminates with `SIGSEGV`.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
A privileged guest can program an out-of-layout Virtio 1.x `queue_avail`
address for the `vioscsi` device and then notify the queue. The host-side
`vioscsi` device process dereferences a pointer derived from the unchecked
offset and terminates with `SIGSEGV`.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
vmd: Unbreak using images supplied with vmctl -b
My previous fix for reused filedescriptors broke using images
supplied with "vmctl -b": In that case, kernfd remained to be set
to -1, thus passing that filedescriptor to the child process failed.
To resolve this, dup vm->vm_kernel right before passing the descriptor
with proc_compose(). This fixes -b and the keeps original fix
working.
In the error path I rely on vm_stop()/vm_remove() closing vm->vm_kernel.
Therefore, remove the redundant close().
from hshoexer@; ok mlarkin@ deraadt@
Fix vmd(8) emulation for Linux guests.
The memory safety checks introduced in previous commit were too
strict and broke Linux guests running on top of vmd. Adapt the
checks to the variation of virtio 1.x that vmd implements.
virtio 1.x doesn't need page alignment. The used area offset needs
to just be 4 byte aligned for some sanity, but not really critical.
The descriptor table, available area, and used areas must be in
guest memory ranges and not spill out allowing guest access to host
memory by using hvaddr_mem() to check.
from dv@; OK mlarkin@; tested by jmatthew@ and Remi Bougard
this is errata/7.9/003_vmd.patch.sig
