Page MenuHomeFreeBSD
Differential D38127

bhyve: Fix a global buffer overread in the PCI hda device model.
ClosedPublic
Actions

Authored by jhb on Jan 19 2023, 10:40 PM.
Tags
None
Referenced Files
Unknown Object (File)
Dec 23 2023, 1:10 AM
Unknown Object (File)
Dec 12 2023, 5:21 PM
Unknown Object (File)
Nov 26 2023, 5:21 AM
Unknown Object (File)
Nov 24 2023, 1:00 PM
Unknown Object (File)
Nov 24 2023, 5:54 AM
Unknown Object (File)
Nov 22 2023, 1:36 PM
Unknown Object (File)
Nov 22 2023, 11:58 AM
Unknown Object (File)
Nov 18 2023, 12:31 AM
View All 29 Files
Subscribers
bcran
corvink
imp
rgrimes

Details

Reviewers
emaste
corvink
markj
Group Reviewers
bhyve
Commits
rGf31dc54deed4: bhyve: Fix a global buffer overread in the PCI hda device model.
rGbfe8e339eb77: bhyve: Fix a global buffer overread in the PCI hda device model.
Summary

hda_write did not validate the relative register offset before using
it as an index into the hda_set_reg_table array to lookup a function
pointer to execute after updating the register's value.

PR: 264435
Reported by: Robert Morris <rtm@lcs.mit.edu>
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb created this revision.Jan 19 2023, 10:40 PM
Herald added a reviewer: bhyve. · View Herald TranscriptJan 19 2023, 10:40 PM
Herald added subscribers: bcran, rgrimes, imp. · View Herald Transcript
jhb requested review of this revision.Jan 19 2023, 10:40 PM
Harbormaster completed remote builds in B49174: Diff 115337.Jan 19 2023, 10:40 PM
emaste accepted this revision.Jan 20 2023, 12:55 AM
emaste added inline comments.
usr.sbin/bhyve/pci_hda.c
716

offset is "enforced" to be < HDA_LAST_OFFSET via an assertion in hda_get_reg_by_offset; (as a subsequent change) should we turn that into an error return?

This revision is now accepted and ready to land.Jan 20 2023, 12:55 AM
corvink accepted this revision.Jan 20 2023, 7:05 AM
corvink added a subscriber: corvink.
corvink added inline comments.
usr.sbin/bhyve/pci_hda.c
716

I'd prefer that.

markj accepted this revision as: markj.Jan 20 2023, 1:15 PM
jhb added inline comments.Jan 20 2023, 5:49 PM
usr.sbin/bhyve/pci_hda.c
716

No, the offset is never bigger than that since the BAR is registered as having that size:

static int
pci_hda_init(struct pci_devinst *pi, nvlist_t *nvl)
{
...
	/* allocate one BAR register for the Memory address offsets */
	pci_emul_alloc_bar(pi, 0, PCIBAR_MEM32, HDA_LAST_OFFSET);

The offset should never be larger unless there is a bug in pci_emul.c, so using an assert() rather than an error check in the get/set_reg routines is correct. (If we break generic PCI BAR handling in bhyve, we'd rather get core dumps due to assertion errors, not silently discarded errors.)

emaste added a comment.Jan 20 2023, 5:51 PM

OK, assert() is correct.

Closed by commit rGbfe8e339eb77: bhyve: Fix a global buffer overread in the PCI hda device model. (authored by jhb). · Explain WhyJan 20 2023, 5:59 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rGbfe8e339eb77: bhyve: Fix a global buffer overread in the PCI hda device model..
jhb added a commit: rGf31dc54deed4: bhyve: Fix a global buffer overread in the PCI hda device model..Jan 26 2023, 10:36 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
10 lines

Diff 115363

View Options

usr.sbin/bhyve/pci_hda.c

Loading...