[Bug 264582] bhyve: hda_send_command() can index beyond the end of sc->codecs[]

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 264582] bhyve's hda_send_command() can index beyond the end of sc->codecs[]"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 20 Jan 2023 17:59:58 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264582

--- Comment #1 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=cf57f20edcf9c75f0f9f1ac1c44729184970b9d9

commit cf57f20edcf9c75f0f9f1ac1c44729184970b9d9
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2023-01-20 17:58:38 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2023-01-20 17:58:38 +0000

    bhyve: Fix a buffer overread in the PCI hda device model.

    The sc->codecs array contains HDA_CODEC_MAX (15) entries.  The
    guest-supplied cad field in the verb provided to hda_send_command is a
    4-bit field that was used as an index into sc->codecs without any
    bounds checking.  The highest value (15) would overflow the array.

    Other uses of sc->codecs in the device model used sc->codecs_no to
    determine which array indices have been initialized, so use a similar
    check to reject requests for uninitialized or invalid cad indices in
    hda_send_command.

    PR:             264582
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    corvink, markj, emaste
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D38128

 usr.sbin/bhyve/pci_hda.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.