Differential D38128

bhyve: Fix a buffer overread in the PCI hda device model.
ClosedPublic
Actions

Authored by jhb on Jan 19 2023, 10:40 PM.

Tags

None

Referenced Files

	F153669579: D38128.id.diff
	Wed, Apr 22, 7:23 PM

	Unknown Object (File)
	Tue, Apr 21, 9:05 PM

	Unknown Object (File)
	Sun, Apr 19, 7:01 PM

	Unknown Object (File)
	Sun, Apr 19, 12:34 PM

	Unknown Object (File)
	Wed, Apr 15, 2:06 PM

	Unknown Object (File)
	Wed, Apr 15, 4:29 AM

	Unknown Object (File)
	Wed, Apr 15, 2:43 AM

	Unknown Object (File)
	Tue, Apr 7, 12:39 PM

Subscribers

Details

Reviewers

emaste
corvink
markj

Group Reviewers

Commits

rGabdc47cd6969: bhyve: Fix a buffer overread in the PCI hda device model.
rGcf57f20edcf9: bhyve: Fix a buffer overread in the PCI hda device model.

Summary

The sc->codecs array contains HDA_CODEC_MAX (15) entries. The
guest-supplied cad field in the verb provided to hda_send_command is a
4-bit field that was used as an index into sc->codecs without any
bounds checking. The highest value (15) would overflow the array.

Other uses of sc->codecs in the device model used sc->codecs_no to
determine which array indices have been initialized, so use a similar
check to reject requests for uninitialized or invalid cad indices in
hda_send_command.

PR: 264582
Reported by: Robert Morris <rtm@lcs.mit.edu>
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhb created this revision.Jan 19 2023, 10:40 PM

Herald added a reviewer: bhyve. · View Herald TranscriptJan 19 2023, 10:40 PM

Herald added subscribers: bcran, rgrimes, imp. · View Herald Transcript

jhb requested review of this revision.Jan 19 2023, 10:40 PM

Harbormaster completed remote builds in B49175: Diff 115338.Jan 19 2023, 10:40 PM

emaste accepted this revision.Jan 20 2023, 12:45 AM

This revision is now accepted and ready to land.Jan 20 2023, 12:45 AM

corvink accepted this revision.Jan 20 2023, 6:54 AM

markj accepted this revision as: markj.Jan 20 2023, 1:12 PM

Closed by commit rGcf57f20edcf9: bhyve: Fix a buffer overread in the PCI hda device model. (authored by jhb). · Explain WhyJan 20 2023, 5:59 PM

This revision was automatically updated to reflect the committed changes.

jhb added a commit: rGcf57f20edcf9: bhyve: Fix a buffer overread in the PCI hda device model..

jhb added a commit: rGabdc47cd6969: bhyve: Fix a buffer overread in the PCI hda device model..Jan 26 2023, 10:37 PM

Revision Contents
Changeset List

Path

Size

usr.sbin/

bhyve/

6 lines

Diff 115364

usr.sbin/bhyve/pci_hda.c

Loading...