git: cfcbeed4c7d5 - releng/13.4 - bhyve: improve bounds checks in hda_codec
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 29 Oct 2024 18:49:54 UTC
The branch releng/13.4 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=cfcbeed4c7d533fba817b38cf29e51206ea956ff
commit cfcbeed4c7d533fba817b38cf29e51206ea956ff
Author: Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-07-24 14:56:54 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-29 18:49:15 +0000
bhyve: improve bounds checks in hda_codec
The function hda_codec_command is vulnerable to buffer over-read, the
payload value is extracted from the command and used as an array index
without any validation.
Fortunately, the payload value is capped at 255, so the information
disclosure is limited and only a small part of .rodata of bhyve binary
can be disclosed.
The risk is low because the leaked information is not sensitive. An
attacker may be able to validate the version of the bhyve binary using
this information disclosure (layout of .rodata information, ex:
jmp_tables) before executing an exploit.
Reported by: Synacktiv
Reviewed by: christos, emaste
Security: HYP-13
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46098
(cherry picked from commit e94a1d6a7f2eb932850e1db418bf34d5c6991ce8)
(cherry picked from commit 757bbf484c0bab2c4c7b504017079cceb833f7ae)
(cherry picked from commit 6cb1995a66aec98261256bc4da3eedfe840e1ab9)
---
usr.sbin/bhyve/hda_codec.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/usr.sbin/bhyve/hda_codec.c b/usr.sbin/bhyve/hda_codec.c
index 1866149c020a..b7d6ec043675 100644
--- a/usr.sbin/bhyve/hda_codec.c
+++ b/usr.sbin/bhyve/hda_codec.c
@@ -521,7 +521,6 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data)
payload = cmd_data & 0xffff;
}
- assert(cad == hci->cad);
assert(hci);
hops = hci->hops;
@@ -530,7 +529,10 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data)
sc = (struct hda_codec_softc *)hci->priv;
assert(sc);
- assert(nid < sc->no_nodes);
+ if (cad != hci->cad || nid >= sc->no_nodes) {
+ DPRINTF("Invalid command data");
+ return (-1);
+ }
if (!hops->response) {
DPRINTF("The controller ops does not implement \
@@ -540,7 +542,8 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data)
switch (verb) {
case HDA_CMD_VERB_GET_PARAMETER:
- res = sc->get_parameters[nid][payload];
+ if (payload < HDA_CODEC_PARAMS_COUNT)
+ res = sc->get_parameters[nid][payload];
break;
case HDA_CMD_VERB_GET_CONN_LIST_ENTRY:
res = sc->conn_list[nid][0];