From nobody Tue Oct 29 18:53:39 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XdKCm2fp4z5bnQS; Tue, 29 Oct 2024 18:53:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XdKCm0vvDz461q; Tue, 29 Oct 2024 18:53:40 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730228020; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z8WjprbWyHn1IwvlS0LACmkqAqyxnjWW0mpbFsr/VnA=; b=kjAjqYi5dnDkX9jbuxMCYNp8iMWaYF5QFZyTqpDIg10paTm89rMrprw26DsxVOY/tVgWao IttuJAQA7xyHX9epO/oaWL/v0ySnXfamF7AZ1m2yKHESpcVF+30UyM6PKbY98lWRViSmtU Dep0fsvV+cZPpYozON6ynKcftJDdd2+lNKs03D2qybP/wo8RlALOxEzmSF3mvo29uS+bjn W819kBwyJe51qN6YTS1pn5xQHL90kpO88Orey24Mvx6LSdjs9xVy9jJx8rBvb0jfbuw5y6 zf2kWS9u5ytA71sExmS4mIDlzVxuQxmd5eTIJge37wPtovf+VT+XCaxzjPRmRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730228020; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z8WjprbWyHn1IwvlS0LACmkqAqyxnjWW0mpbFsr/VnA=; b=H8oaBzjqlTFLOUloDbXAiH4OzSlxV3Tvhl3VVpEPk0Tk/xjVOD0TtneaXacy+Sj7siNrRB jq7P4rfwSASsFAvxC+Fv0PCFWKXa5/kKtsa72FHPpKUtN0pMOQZwziw/ig96KX0aeG1ZT3 MfS8nohPaZFawX0UmP+LsBgO85Pe0Hx8YyBKb9UyZ6LIIxDo21PZ3V/4uCkIE+RHFpGLmJ BUjjy47beQD5RwUjGoshSJ0kqE9TKYP1pCcu9BuZjYuMuNZHGwhBxwTlvN7u5MoQjPoRmb G1Yn8UlnmNS6Hq2uMxbQVV7IJFNMT0naWOWOKvROQ/IkLXqO/GQmMnup8hOZ5g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730228020; a=rsa-sha256; cv=none; b=QRIVjnpXsPlLjB89WKV8CYFR7s7Gg0rk84HJI9VevWnAqJ5urH7gXF/KK52zeAsrcY11Lh drOsds5/6W46lR6Rx9a/TUdE5uFZexEZqnQwsG7ruRRDRrk831mjc4pmDv7u5y3MthuA82 tA/1D24yl+HbL3engjjwMaA5+mQF3ye6o4ikcnVOd5kG7Smn+kcgFuHmJm2rp/ldeYizeL 5CbMx1+zI0/l1B+Dll9R8nvFW9JONNvSrpKd3lJ9vvHiShE8CvwjS+x1Jsk3Ero+cExKO6 yh8HkZtviyfLAx2a8MyFDA1IWf58sAXprD5sTEp22pACgv/RCYlAIGkbJ3zwHQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XdKCm0Fw4zbfh; Tue, 29 Oct 2024 18:53:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 49TIrdAx035173; Tue, 29 Oct 2024 18:53:39 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 49TIrdbo035170; Tue, 29 Oct 2024 18:53:39 GMT (envelope-from git) Date: Tue, 29 Oct 2024 18:53:39 GMT Message-Id: <202410291853.49TIrdbo035170@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 7d1d641efeda - releng/13.3 - bhyve: improve bounds checks in hda_codec List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.3 X-Git-Reftype: branch X-Git-Commit: 7d1d641efeda7914acb892787b3ae2afcdb78c4f Auto-Submitted: auto-generated The branch releng/13.3 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=7d1d641efeda7914acb892787b3ae2afcdb78c4f commit 7d1d641efeda7914acb892787b3ae2afcdb78c4f Author: Pierre Pronchery AuthorDate: 2024-07-24 14:56:54 +0000 Commit: Ed Maste CommitDate: 2024-10-29 18:52:51 +0000 bhyve: improve bounds checks in hda_codec The function hda_codec_command is vulnerable to buffer over-read, the payload value is extracted from the command and used as an array index without any validation. Fortunately, the payload value is capped at 255, so the information disclosure is limited and only a small part of .rodata of bhyve binary can be disclosed. The risk is low because the leaked information is not sensitive. An attacker may be able to validate the version of the bhyve binary using this information disclosure (layout of .rodata information, ex: jmp_tables) before executing an exploit. Reported by: Synacktiv Reviewed by: christos, emaste Security: HYP-13 Security: FreeBSD-SA-24:17.bhyve Approved by: so Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46098 (cherry picked from commit e94a1d6a7f2eb932850e1db418bf34d5c6991ce8) (cherry picked from commit 757bbf484c0bab2c4c7b504017079cceb833f7ae) (cherry picked from commit 6cb1995a66aec98261256bc4da3eedfe840e1ab9) --- usr.sbin/bhyve/hda_codec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr.sbin/bhyve/hda_codec.c b/usr.sbin/bhyve/hda_codec.c index 1866149c020a..b7d6ec043675 100644 --- a/usr.sbin/bhyve/hda_codec.c +++ b/usr.sbin/bhyve/hda_codec.c @@ -521,7 +521,6 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data) payload = cmd_data & 0xffff; } - assert(cad == hci->cad); assert(hci); hops = hci->hops; @@ -530,7 +529,10 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data) sc = (struct hda_codec_softc *)hci->priv; assert(sc); - assert(nid < sc->no_nodes); + if (cad != hci->cad || nid >= sc->no_nodes) { + DPRINTF("Invalid command data"); + return (-1); + } if (!hops->response) { DPRINTF("The controller ops does not implement \ @@ -540,7 +542,8 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data) switch (verb) { case HDA_CMD_VERB_GET_PARAMETER: - res = sc->get_parameters[nid][payload]; + if (payload < HDA_CODEC_PARAMS_COUNT) + res = sc->get_parameters[nid][payload]; break; case HDA_CMD_VERB_GET_CONN_LIST_ENTRY: res = sc->conn_list[nid][0];