[Midnightbsd-cvs] [MidnightBSD/src] d1b8b5: The ggatec(8) daemon does not validate the size of...
Lucas Holt
noreply at github.com
Wed Aug 25 10:08:55 EDT 2021
Branch: refs/heads/stable/2.0
Home: https://github.com/MidnightBSD/src
Commit: d1b8b59f5ea44308f1854808fc9d099d78b1d758
https://github.com/MidnightBSD/src/commit/d1b8b59f5ea44308f1854808fc9d099d78b1d758
Author: Lucas Holt <luke at foolishgames.com>
Date: 2021-08-25 (Wed, 25 Aug 2021)
Changed paths:
M sbin/ggate/ggatec/ggatec.c
Log Message:
-----------
The ggatec(8) daemon does not validate the size of a response before writing
it to a fixed-sized buffer. This allows to overwrite the stack of ggatec(8).
Obtained from: FreeBSD
Commit: 41ebc7e1c87088432800f0026a28cec37b39e34e
https://github.com/MidnightBSD/src/commit/41ebc7e1c87088432800f0026a28cec37b39e34e
Author: Lucas Holt <luke at foolishgames.com>
Date: 2021-08-25 (Wed, 25 Aug 2021)
Changed paths:
M usr.sbin/bhyve/pci_virtio_console.c
M usr.sbin/bhyve/pci_virtio_rnd.c
Log Message:
-----------
Certain VirtIO-based device models failed to handle errors when fetching
I/O descriptors. Such errors could be triggered by a malicious guest.
As a result, the device model code could be tricked into operating on
uninitialized I/O vectors, leading to memory corruption.
Obtained from: FreeBSD
Compare: https://github.com/MidnightBSD/src/compare/1de512a30fe8...41ebc7e1c870
More information about the Midnightbsd-cvs
mailing list