Date: Fri, 20 Jan 2023 17:59:58 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 264582] bhyve: hda_send_command() can index beyond the end of sc->codecs[] Message-ID: <bug-264582-27103-IT3QhvXuqJ@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-264582-27103@https.bugs.freebsd.org/bugzilla/> References: <bug-264582-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264582 --- Comment #1 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3Dcf57f20edcf9c75f0f9f1ac1c44729184= 970b9d9 commit cf57f20edcf9c75f0f9f1ac1c44729184970b9d9 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2023-01-20 17:58:38 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2023-01-20 17:58:38 +0000 bhyve: Fix a buffer overread in the PCI hda device model. The sc->codecs array contains HDA_CODEC_MAX (15) entries. The guest-supplied cad field in the verb provided to hda_send_command is a 4-bit field that was used as an index into sc->codecs without any bounds checking. The highest value (15) would overflow the array. Other uses of sc->codecs in the device model used sc->codecs_no to determine which array indices have been initialized, so use a similar check to reject requests for uninitialized or invalid cad indices in hda_send_command. PR: 264582 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: corvink, markj, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38128 usr.sbin/bhyve/pci_hda.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-264582-27103-IT3QhvXuqJ>