From nobody Thu Oct 03 21:14:51 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XKPZh0lTGz5XKWx; Thu, 03 Oct 2024 21:14:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XKPZh0B2Bz4J0R; Thu, 3 Oct 2024 21:14:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727990092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nwqKgy1qfjyBwAHlu8T8lM54TtjxZAw+ww/YTHBxysw=; b=RX4q4EvGnUiaYQ4dQKqEtLWakIRnmX7ZnajQ0/zPunwUW6DSKOcnjGIxyad1QZ9Qy+Negh b+2VzTkJf4WVM/Bh/zIWUALr+vBwIioIjHqLaepvzCBWt0RlDtg+bCbnPLog6OE8mNyefl tr8SlB5FDKMFPen/s2laVHMta5RxCzYr0CUhTGJtL24mSGlvYu6i9qvXSYfwcYyV8eBH1c fldg9iIWkpeYKWQeGMUA8dmqLhHPCKVCY9/e/qcNHrAI9Qydg+qgSgUGm/ml6xGClWaGsF 3M9m9TR1bMc1+dKcbkISmgh0N1DDaT4j28t22hqkcIXdWqWNHM4ioZhjzLV+hQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727990092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nwqKgy1qfjyBwAHlu8T8lM54TtjxZAw+ww/YTHBxysw=; b=N4326uxX58BOsDB8yHxTLgQ+0jCZQdbI8IjGkCCrbA1JnNuNkF98CNcAZJ/vUOzNOaJbJ9 Rf7yOvZWFkEXNemiOaBtrc7JUwKV8lFX2c838Q+FhvI2rce4JeyzUWV3dExJY5W1etccR0 LsLvlBT0JUEM1gS9+gudV5ZQ9hRY15bDafn+2e9mR3A2PQ0ZYJ9uFBEv7C56O5maazyGmv 4bz98L01YqGiZhvSqFwCISzwvq2iSfpvCfqipIv0UI7KYNsQ7gZH/WhvB0fAj6V/sVZF5K ZBuuUgk40k5xjPpJoG6aNjTI6BW+n8tmcBwgkIdQXA/nioYLdqnXXdE5m5UYhw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1727990092; a=rsa-sha256; cv=none; b=v/OUJQ7q99Ysrw8DLNStuvjuZoE68gXtFRuECGx6AoY6vQl8WeHYoH9DDeVeKJ+ThmE0sH kmjM22bpLt2xL8rr2zhUIEjy8twK0jg1HR8DRu7ixTyzURBnz7Rgxe7HB9HPQu50PoqHgM V5U93xaA0CwelRkg/y5lHxZs10+FkzxGYW/deQQ5UlatbgIg9Uz8ygtmKLakM1h9cM841/ fy8biIJrX9FBsaikDA/0OKoUgKgeaVMJPBhf/D+IYoT7OL03qdoHCfPpRdFX6KEyyqtXmc sewLtkhjF84CJE/pqTkr86t+LmRc2vGFNdAIhj83VrQE/c0ZfdLjNnf1xk5ttg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XKPZg6pS4z160M; Thu, 3 Oct 2024 21:14:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 493LEpJo051306; Thu, 3 Oct 2024 21:14:51 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 493LEpR1051303; Thu, 3 Oct 2024 21:14:51 GMT (envelope-from git) Date: Thu, 3 Oct 2024 21:14:51 GMT Message-Id: <202410032114.493LEpR1051303@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: e94a1d6a7f2e - main - bhyve: improve bounds checks in hda_codec List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e94a1d6a7f2eb932850e1db418bf34d5c6991ce8 Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=e94a1d6a7f2eb932850e1db418bf34d5c6991ce8 commit e94a1d6a7f2eb932850e1db418bf34d5c6991ce8 Author: Pierre Pronchery AuthorDate: 2024-07-24 14:56:54 +0000 Commit: Ed Maste CommitDate: 2024-10-03 21:14:11 +0000 bhyve: improve bounds checks in hda_codec The function hda_codec_command is vulnerable to buffer over-read, the payload value is extracted from the command and used as an array index without any validation. Fortunately, the payload value is capped at 255, so the information disclosure is limited and only a small part of .rodata of bhyve binary can be disclosed. The risk is low because the leaked information is not sensitive. An attacker may be able to validate the version of the bhyve binary using this information disclosure (layout of .rodata information, ex: jmp_tables) before executing an exploit. Reported by: Synacktiv Reviewed by: christos, emaste Security: HYP-13 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46098 --- usr.sbin/bhyve/hda_codec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr.sbin/bhyve/hda_codec.c b/usr.sbin/bhyve/hda_codec.c index 1866149c020a..b7d6ec043675 100644 --- a/usr.sbin/bhyve/hda_codec.c +++ b/usr.sbin/bhyve/hda_codec.c @@ -521,7 +521,6 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data) payload = cmd_data & 0xffff; } - assert(cad == hci->cad); assert(hci); hops = hci->hops; @@ -530,7 +529,10 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data) sc = (struct hda_codec_softc *)hci->priv; assert(sc); - assert(nid < sc->no_nodes); + if (cad != hci->cad || nid >= sc->no_nodes) { + DPRINTF("Invalid command data"); + return (-1); + } if (!hops->response) { DPRINTF("The controller ops does not implement \ @@ -540,7 +542,8 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data) switch (verb) { case HDA_CMD_VERB_GET_PARAMETER: - res = sc->get_parameters[nid][payload]; + if (payload < HDA_CODEC_PARAMS_COUNT) + res = sc->get_parameters[nid][payload]; break; case HDA_CMD_VERB_GET_CONN_LIST_ENTRY: res = sc->conn_list[nid][0];