[Bug 264435] bhyve hda_write() can index (and jump) beyond end of array
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264435] bhyve: hda_write() can index (and jump) beyond end of array"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264435] bhyve: hda_write() can index (and jump) beyond end of array"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264435] bhyve: hda_write() can index (and jump) beyond end of array"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264435] bhyve: hda_write() can index (and jump) beyond end of array"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264435] bhyve: hda_write() can index (and jump) beyond end of array"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264435] bhyve: hda_write() can index (and jump) beyond end of array"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 03 Jun 2022 15:01:27 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264435
Bug ID: 264435
Summary: bhyve hda_write() can index (and jump) beyond end of
array
Product: Base System
Version: Unspecified
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bhyve
Assignee: virtualization@FreeBSD.org
Reporter: rtm@lcs.mit.edu
In this from Bhyve's pci_hda.c:
static int
hda_write(struct hda_softc *sc, uint32_t offset, uint8_t size, uint32_t value)
{
uint32_t old = hda_get_reg_by_offset(sc, offset);
...;
hda_set_reg_handler set_reg_handler = hda_set_reg_table[offset];
...;
if (set_reg_handler)
set_reg_handler(sc, offset, old);
hda_set_reg_table[] has 385 entries. The guest gets to specify offset,
and it can be up to 8580 (HDA_LAST_OFFSET, enforced in
hda_get_reg_by_offset). So a malicious guest has a bunch of options
for where the call to set_reg_handler() can end up.
You can demo this by adding
HDAC_WRITE_4(&sc->mem, 0x4a4, 0x0);
at the start of hdac_reset() in /sys/dev/sound/pci/hda/hdac.c
and booting the resulting guest kernel on Bhyve.
--
You are receiving this mail because:
You are the assignee for the bug.