A privileged guest can program an out-of-layout Virtio 1.x `queue_avail`
address for the `vioscsi` device and then notify the queue. The host-side
`vioscsi` device process dereferences a pointer derived from the unchecked
offset and terminates with `SIGSEGV`.
from Quarkslab
ok hshoexer, mlarkin
A privileged guest can notify an invalid virtio-scsi queue index. The
host-side `vioscsi` device process uses the guest-controlled value as an array
index without a bounds check, interprets adjacent process memory as virtqueue
metadata, and terminates with `SIGSEGV`.
from Quarkslab
ok hshoexer, mlarkin
Do not call `fatalx()` on malformed guest-provided descriptor lengths. Reject
the request and return without terminating the VM process.
from Quarkslab
ok hshoexer, mlarkin
A privileged guest can notify one invalid virtio-block queue index and
terminate the host-side `vioblk` device process. In the confirmed run, this
also caused the VM event thread to exit unexpectedly.
from Quarkslab
ok hshoexer, mlarkin
A privileged guest can make the host-side `vioblk` backend read a descriptor
outside the configured virtqueue descriptor table and interpret the out-of-table
entry as a block request descriptor. In the confirmed run, the guest-controlled
out-of-table descriptor made `vmd(8)` read and log a guest-chosen block command
value, and the device entered `DEVICE_NEEDS_RESET`.
from Quarkslab
ok hshoexer, mlarkin
Revert a small part of the earlier adjout_prefix_dump diff.
In up_process_prefix() bring back the path_id_tx hack for regular peers.
A peer not using add-path send will set the path_id_tx to 0 and so
adjout_prefix_first() will return the right match.
This was undone because there is a problem with this when a peer switches
mode (from add-path send back to no add-path). adjout_prefix_first()
returns a prefix where path_id_tx is not 0 but adjout_prefix_update()
expects that to be 0. This edge case is far less common and a better
workaround can be found here.
Fixes the addpath intergration test.
Previous commit introduced a logic bug.
Code needs to call ib_dump_free() for every context where
id matches ctx->ctx_id and ctx->ctx_re is set (this skips
adjout_prefix_dump contexts since there ctx_re is NULL).
OK tb@
Avoid infinite loop when parsing PFKEY replies
In bgpd, iked, isakmpd, ldpd and sasyncd we have similar code to
parse PFKEY replies from the kernel. To avoid an infinite loop on
malformed replies validate the SADB extension size.
For consistency with the other daemons rewrite the parsing loop of
iked.
sasyncd already validates the extension size, so no change needed.
ok claudio@ tb@ tobhe@
Adjust the adjout_prefix_dump walker to operate using the adjout_bid
and stop using peer_get() in the walker.
This fixes the peer_reaper walker which before this was not working
at all. The peer reaper removed the peer from the RB tree before walking
the table and so peer_get() would return NULL and abort the walk immediatly.
Adjust the adjout_prefix_dump context to use the adjout_bid and stop using
peer->conf.id and peer_get.
To make this work the following changes are needed:
- For the callback drop the struct rde_peer argument instead add a uint32_t
bid argument.
- adjout_prefix_first() also needs to switch to using the adjout bitmask id
instead of using the peer directly.
- also change adjout_prefix_next() just to be in sync with
adjout_prefix_first()
- In most callbacks use the arg pointer to pass in the peer
- Adjust rde_dump_ctx_new() and rde_dump_adjout_upcall(). The latter now
[8 lines not shown]
The extended nexthop capability only works with 'fib-update no'
enfoce this in the parser.
Right now there is no FIB support for IPv6 nexthops for IPv4 routes.
Both the bgpd kroute.c code and the OpenBSD network stack are not ready
for this. This feature is currently only used to allow some IXP to play
with RFC8950 so no FIB support is fine for that use case.
Protect other people from tripping over this thinking there is full support.
Issue brought up by a report from 7Asecurity
OK tb@
