git: 6acac2ca9aa1 - releng/14.1 - bhyve: validate corb->wp to avoid infinite loop
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 29 Oct 2024 18:45:34 UTC
The branch releng/14.1 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=6acac2ca9aa19cb20426c1a8bbb02df30e5ddb5c commit 6acac2ca9aa19cb20426c1a8bbb02df30e5ddb5c Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-09-19 18:57:42 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-10-29 18:43:34 +0000 bhyve: validate corb->wp to avoid infinite loop Guests must set HDAC_CORBWP less than corb->size. Treat invalid values as an error rather than entering an infinite loop. Reported by: Synacktiv Reviewed by: markj Security: HYP-12 Security: FreeBSD-SA-24:17.bhyve Approved by: so Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46134 (cherry picked from commit a305f44d1404fbf386bb2b50ab7233ce9eabe0bb) (cherry picked from commit 6a645bb3535cb73b1f20db652c9e3893f26a986e) --- usr.sbin/bhyve/pci_hda.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr.sbin/bhyve/pci_hda.c b/usr.sbin/bhyve/pci_hda.c index 6f0c1b6cfba9..58481af71a4c 100644 --- a/usr.sbin/bhyve/pci_hda.c +++ b/usr.sbin/bhyve/pci_hda.c @@ -789,6 +789,11 @@ hda_corb_run(struct hda_softc *sc) int err; corb->wp = hda_get_reg_by_offset(sc, HDAC_CORBWP); + if (corb->wp >= corb->size) { + DPRINTF("Invalid HDAC_CORBWP %u >= size %u", corb->wp, + corb->size); + return (-1); + } while (corb->rp != corb->wp && corb->run) { corb->rp++;