Page MenuHomeFreeBSD
Differential D38128

bhyve: Fix a buffer overread in the PCI hda device model.
ClosedPublic
Actions

Authored by jhb on Jan 19 2023, 10:40 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, May 13, 10:08 PM
Unknown Object (File)
Wed, May 13, 10:08 PM
Unknown Object (File)
Wed, May 13, 9:55 PM
Unknown Object (File)
Wed, Apr 29, 8:50 AM
Unknown Object (File)
Fri, Apr 24, 11:27 PM
Unknown Object (File)
Apr 22 2026, 7:23 PM
Unknown Object (File)
Apr 21 2026, 9:05 PM
Unknown Object (File)
Apr 19 2026, 7:01 PM
View All Files
Subscribers
bcran
imp
rgrimes

Details

Reviewers
emaste
corvink
markj
Group Reviewers
bhyve
Commits
rGabdc47cd6969: bhyve: Fix a buffer overread in the PCI hda device model.
rGcf57f20edcf9: bhyve: Fix a buffer overread in the PCI hda device model.
Summary

The sc->codecs array contains HDA_CODEC_MAX (15) entries. The
guest-supplied cad field in the verb provided to hda_send_command is a
4-bit field that was used as an index into sc->codecs without any
bounds checking. The highest value (15) would overflow the array.

Other uses of sc->codecs in the device model used sc->codecs_no to
determine which array indices have been initialized, so use a similar
check to reject requests for uninitialized or invalid cad indices in
hda_send_command.

PR: 264582
Reported by: Robert Morris <rtm@lcs.mit.edu>
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
6 lines

Diff 115364

View Options

usr.sbin/bhyve/pci_hda.c

Loading...