CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	John Baldwin <jhb@FreeBSD.org>
	Mon, 5 Aug 2019 21:39:55 +0000 (21:39 +0000)
committer	John Baldwin <jhb@FreeBSD.org>
	Mon, 5 Aug 2019 21:39:55 +0000 (21:39 +0000)
commit	ed9ffd2f09f71dec4c0e7253cf91d0b8aa2f70dd
tree	81a5863460110ab0218cd14fdc5be44191975827	tree \| snapshot
parent	c878d1eb45c566b3f5efb12f386ce48526bcf000	commit \| diff

Validate guest-supplied length of headers for TSO transmit requests.

When transmitting a large TCP packet, the final transmit descriptor
includes the length of the protocol headers to be duplicated on each
segment.  The device model was trusting the guest-supplied value
without validating it.  A value of zero would result in the guest
being able to indirect a garbage pointer on the stack to overwrite
arbitrary memory in the bhyve process.  A value that was non-zero but
too small for the requested parameters resulted in the device model
reading and writing values beyond the end of the on-stack buffer used
to hold the template header.

To fix, validate the supplied length and drop requests to transmit
packets that would overflow the header buffer.  While here, initialize
the header pointer to NULL as a preventive measure so that any access
to an unallocated template header crashes they hypervisor
deterministically.

While here, only read the TCP sequence number if the packet being
split is a TCP packet.  The e1000 logic supports a segmentation of UDP
frames, and while UDP segmentation requires this part of the header to
be valid (so there is no buffer overflow), only reading the field when
needed is cleaner.

admbugs: 918
Reported by: Reno Robert <renorobert@gmail.com>
Reviewed by: markj
Approved by: so
Security: CVE-2019-5609