Page MenuHomeFreeBSD
Differential D38128

bhyve: Fix a buffer overread in the PCI hda device model.
ClosedPublic
Actions

Authored by jhb on Jan 19 2023, 10:40 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Mar 27, 10:45 AM
Unknown Object (File)
Fri, Mar 27, 5:03 AM
Unknown Object (File)
Thu, Mar 26, 11:03 PM
Unknown Object (File)
Wed, Mar 25, 12:25 PM
Unknown Object (File)
Tue, Mar 24, 5:22 AM
Unknown Object (File)
Sat, Mar 7, 4:47 PM
Unknown Object (File)
Sat, Mar 7, 10:30 AM
Unknown Object (File)
Thu, Mar 5, 2:18 PM
View All Files
Subscribers
bcran
imp
rgrimes

Details

Reviewers
emaste
corvink
markj
Group Reviewers
bhyve
Commits
rGabdc47cd6969: bhyve: Fix a buffer overread in the PCI hda device model.
rGcf57f20edcf9: bhyve: Fix a buffer overread in the PCI hda device model.
Summary

The sc->codecs array contains HDA_CODEC_MAX (15) entries. The
guest-supplied cad field in the verb provided to hda_send_command is a
4-bit field that was used as an index into sc->codecs without any
bounds checking. The highest value (15) would overflow the array.

Other uses of sc->codecs in the device model used sc->codecs_no to
determine which array indices have been initialized, so use a similar
check to reject requests for uninitialized or invalid cad indices in
hda_send_command.

PR: 264582
Reported by: Robert Morris <rtm@lcs.mit.edu>
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
6 lines

Diff 115364

View Options

usr.sbin/bhyve/pci_hda.c

Loading...