From nobody Sun Oct 06 15:04:44 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XM5DF10ZFz5YB4D; Sun, 06 Oct 2024 15:04:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XM5DF05Thz4B1K; Sun, 6 Oct 2024 15:04:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728227085; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=20spB0Xmg39lijxycCqO2YSsOL2kZpq/S9Lgl2OVEOo=; b=wjKIuOFcdw0gUpAcX6HysL1TRP/GtejXCAwXv+b1Fue4mNM9pPPZE0LdaUs1cuCB3VJl++ JkKuLc1J9TGRbJOBX+eeYuN3ptDWZ9W/h6c7fvVU3PMV7d4mcD3sgvxjCtYtVxzHOGOOrH 67iqR4iq4vQBlxeK31QFMHOz4oMWsVXo+10zPVL5KEXOSyT1pHe0GD598b91iu358UdtgM IxB7+71AzkQ+6iV/8YO/04WzpSSTku9/62YXV6beJqGmkkZ9XqIyo8BxIOT4Az6kJ8xbIT /GZRjsYex4NV7BIXvnK6JnYYGY27PWrhjwgmhJ8muHoyWVvpKU7u3/WauDO3og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728227085; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=20spB0Xmg39lijxycCqO2YSsOL2kZpq/S9Lgl2OVEOo=; b=NbtOINW5L9023M01yRa7czyLd4h1/pWPrOCY5j2cyyAVYJf5GOOpJPn4Rs5staFmvnMNf6 6Zl1Prn2Bn3kYIswV1CtqAoaYpeV+Jzh8Ne2uzHxpgB7Lu0K7W0azY1iYsS6KBS8UPywTC qRg6+Bx8xkWdHFj1AVp+koD+vdh1nengozZXMnhLk/tMC2+SL5T7sJ+EuuGVYzPEAMBJo/ oDmbMXFRY2d8YGnkuz938pg4v7WBriUaEtxoVZ4MQyz5NWVJIW3qcVY4Zw/XeSKJC3dRq3 gaEiux2s5rRlyPa13PFv25MMncTasV/4qww1lnDPXDqnvBc+3KyUOxih4Fd6fg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728227085; a=rsa-sha256; cv=none; b=QjKkbe0XSUi+xsOnbcRsr4sl/AhNr1yZHSdxi2pBbcANXD9BwZX0t+H716e0X0KiD5cO4m ArntSExhbsQyP1+PiFQ610pmUIXSlGvOajJomkaW+Sn6w6obyT43F2K73HyoB+0mzKwm86 eGdIM0yF3fJ7ijbqKVqBY5GxkWyE7ArSOb7S33uuICbpc4RwyYEmWsJvwxsm/eqyvQu5xm yvA+V5XzpVeIGNtbFyUPHZ1I3vq5ixtYDTF4O15zpEw3hhl6jaTSWzfugMFsrn4ymKkV7R gqEWsGij/mvDrJ4GVyF1i69XAlHJl+kpx7119FamRD3pwzqNVPkty97Rh9hY8g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XM5DD6pc0z16Jt; Sun, 6 Oct 2024 15:04:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 496F4iaZ048599; Sun, 6 Oct 2024 15:04:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 496F4iDJ048596; Sun, 6 Oct 2024 15:04:44 GMT (envelope-from git) Date: Sun, 6 Oct 2024 15:04:44 GMT Message-Id: <202410061504.496F4iDJ048596@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 757bbf484c0b - stable/14 - bhyve: improve bounds checks in hda_codec List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 757bbf484c0bab2c4c7b504017079cceb833f7ae Auto-Submitted: auto-generated The branch stable/14 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=757bbf484c0bab2c4c7b504017079cceb833f7ae commit 757bbf484c0bab2c4c7b504017079cceb833f7ae Author: Pierre Pronchery AuthorDate: 2024-07-24 14:56:54 +0000 Commit: Ed Maste CommitDate: 2024-10-06 15:04:29 +0000 bhyve: improve bounds checks in hda_codec The function hda_codec_command is vulnerable to buffer over-read, the payload value is extracted from the command and used as an array index without any validation. Fortunately, the payload value is capped at 255, so the information disclosure is limited and only a small part of .rodata of bhyve binary can be disclosed. The risk is low because the leaked information is not sensitive. An attacker may be able to validate the version of the bhyve binary using this information disclosure (layout of .rodata information, ex: jmp_tables) before executing an exploit. Reported by: Synacktiv Reviewed by: christos, emaste Security: HYP-13 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46098 (cherry picked from commit e94a1d6a7f2eb932850e1db418bf34d5c6991ce8) --- usr.sbin/bhyve/hda_codec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr.sbin/bhyve/hda_codec.c b/usr.sbin/bhyve/hda_codec.c index 1866149c020a..b7d6ec043675 100644 --- a/usr.sbin/bhyve/hda_codec.c +++ b/usr.sbin/bhyve/hda_codec.c @@ -521,7 +521,6 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data) payload = cmd_data & 0xffff; } - assert(cad == hci->cad); assert(hci); hops = hci->hops; @@ -530,7 +529,10 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data) sc = (struct hda_codec_softc *)hci->priv; assert(sc); - assert(nid < sc->no_nodes); + if (cad != hci->cad || nid >= sc->no_nodes) { + DPRINTF("Invalid command data"); + return (-1); + } if (!hops->response) { DPRINTF("The controller ops does not implement \ @@ -540,7 +542,8 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data) switch (verb) { case HDA_CMD_VERB_GET_PARAMETER: - res = sc->get_parameters[nid][payload]; + if (payload < HDA_CODEC_PARAMS_COUNT) + res = sc->get_parameters[nid][payload]; break; case HDA_CMD_VERB_GET_CONN_LIST_ENTRY: res = sc->conn_list[nid][0];