git: 6acac2ca9aa1 - releng/14.1 - bhyve: validate corb->wp to avoid infinite loop

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Tue, 29 Oct 2024 18:45:34 UTC
The branch releng/14.1 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=6acac2ca9aa19cb20426c1a8bbb02df30e5ddb5c

commit 6acac2ca9aa19cb20426c1a8bbb02df30e5ddb5c
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-09-19 18:57:42 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-29 18:43:34 +0000

    bhyve: validate corb->wp to avoid infinite loop
    
    Guests must set HDAC_CORBWP less than corb->size.  Treat invalid values
    as an error rather than entering an infinite loop.
    
    Reported by:    Synacktiv
    Reviewed by:    markj
    Security:       HYP-12
    Security:       FreeBSD-SA-24:17.bhyve
    Approved by:    so
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D46134
    
    (cherry picked from commit a305f44d1404fbf386bb2b50ab7233ce9eabe0bb)
    (cherry picked from commit 6a645bb3535cb73b1f20db652c9e3893f26a986e)
---
 usr.sbin/bhyve/pci_hda.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/usr.sbin/bhyve/pci_hda.c b/usr.sbin/bhyve/pci_hda.c
index 6f0c1b6cfba9..58481af71a4c 100644
--- a/usr.sbin/bhyve/pci_hda.c
+++ b/usr.sbin/bhyve/pci_hda.c
@@ -789,6 +789,11 @@ hda_corb_run(struct hda_softc *sc)
 	int err;
 
 	corb->wp = hda_get_reg_by_offset(sc, HDAC_CORBWP);
+	if (corb->wp >= corb->size) {
+		DPRINTF("Invalid HDAC_CORBWP %u >= size %u", corb->wp,
+		    corb->size);
+		return (-1);
+	}
 
 	while (corb->rp != corb->wp && corb->run) {
 		corb->rp++;