ctl: limit memory allocation in pci_virtio_scsi
The virtio_scsi device allows a VM guest to directly send SCSI commands
(ctsio->cdb array) to the kernel driver exposed on /dev/cam/ctl
(ctl.ko).
All kernel commands accessible from the guest are defined by
ctl_cmd_table.
The command ctl_persistent_reserve_out (cdb[0]=0x5F and cbd[1]=0) allows
the caller to call malloc() with an arbitrary size (uint32_t). This can
be used by the guest to overload the kernel memory (DOS attack).
Reported by: Synacktiv
Reviewed by: asomers
Security: HYP-08
Security: FreeBSD-SA-24:18.ctl
Approved by: so
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46044
(cherry picked from commit 64b0f52be2c9d7bcecebfeef393f8ec56cb85f47)
(cherry picked from commit 2e7f4728fa738a7a7b6c4e4c46eb68952386efce)
UnifiedSplitRaw
