Page MenuHomeFreeBSD
Differential D38128

bhyve: Fix a buffer overread in the PCI hda device model.
ClosedPublic
Actions

Authored by jhb on Jan 19 2023, 10:40 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Oct 12, 2:36 AM
Unknown Object (File)
Sat, Oct 11, 6:09 PM
Unknown Object (File)
Sat, Oct 11, 9:24 AM
Unknown Object (File)
Sat, Oct 11, 9:24 AM
Unknown Object (File)
Sat, Oct 11, 1:49 AM
Unknown Object (File)
Sat, Oct 4, 4:32 AM
Unknown Object (File)
Sep 14 2025, 8:41 PM
Unknown Object (File)
Aug 27 2025, 11:26 PM
View All 93 Files
Subscribers
bcran
imp
rgrimes

Details

Reviewers
emaste
corvink
markj
Group Reviewers
bhyve
Commits
rGabdc47cd6969: bhyve: Fix a buffer overread in the PCI hda device model.
rGcf57f20edcf9: bhyve: Fix a buffer overread in the PCI hda device model.
Summary

The sc->codecs array contains HDA_CODEC_MAX (15) entries. The
guest-supplied cad field in the verb provided to hda_send_command is a
4-bit field that was used as an index into sc->codecs without any
bounds checking. The highest value (15) would overflow the array.

Other uses of sc->codecs in the device model used sc->codecs_no to
determine which array indices have been initialized, so use a similar
check to reject requests for uninitialized or invalid cad indices in
hda_send_command.

PR: 264582
Reported by: Robert Morris <rtm@lcs.mit.edu>
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
6 lines

Diff 115364

View Options

usr.sbin/bhyve/pci_hda.c

Loading...