Date: Fri, 03 Jun 2022 15:01:27 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 264435] bhyve hda_write() can index (and jump) beyond end of array Message-ID: <bug-264435-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264435 Bug ID: 264435 Summary: bhyve hda_write() can index (and jump) beyond end of array Product: Base System Version: Unspecified Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: rtm@lcs.mit.edu In this from Bhyve's pci_hda.c: static int hda_write(struct hda_softc *sc, uint32_t offset, uint8_t size, uint32_t val= ue) { uint32_t old =3D hda_get_reg_by_offset(sc, offset); ...; hda_set_reg_handler set_reg_handler =3D hda_set_reg_table[offset]; ...; if (set_reg_handler) set_reg_handler(sc, offset, old); hda_set_reg_table[] has 385 entries. The guest gets to specify offset, and it can be up to 8580 (HDA_LAST_OFFSET, enforced in hda_get_reg_by_offset). So a malicious guest has a bunch of options for where the call to set_reg_handler() can end up. You can demo this by adding HDAC_WRITE_4(&sc->mem, 0x4a4, 0x0); at the start of hdac_reset() in /sys/dev/sound/pci/hda/hdac.c and booting the resulting guest kernel on Bhyve. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-264435-27103>