HomeFreeBSD

bhyve: improve bounds checks in hda_codec

Description

bhyve: improve bounds checks in hda_codec

The function hda_codec_command is vulnerable to buffer over-read, the
payload value is extracted from the command and used as an array index
without any validation.
Fortunately, the payload value is capped at 255, so the information
disclosure is limited and only a small part of .rodata of bhyve binary
can be disclosed.

The risk is low because the leaked information is not sensitive. An
attacker may be able to validate the version of the bhyve binary using
this information disclosure (layout of .rodata information, ex:
jmp_tables) before executing an exploit.

Reported by: Synacktiv
Reviewed by: christos, emaste
Security: HYP-13
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46098

Details

Provenance
khorben_defora.orgAuthored on Jul 24 2024, 2:56 PM
emasteCommitted on Oct 3 2024, 9:14 PM
Reviewer
christos
Differential Revision
Restricted Differential Revision
Parents
rGfd3d13678e9e: sglist.9: fix typo
Branches
Unknown
Tags
Unknown