Date: Tue, 29 Oct 2024 18:53:38 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 127f37c9b32d - releng/13.3 - bhyve: validate corb->wp to avoid infinite loop Message-ID: <202410291853.49TIrcQQ035125@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch releng/13.3 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=127f37c9b32da806539ccab71347e2dfc30b50f2 commit 127f37c9b32da806539ccab71347e2dfc30b50f2 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-09-19 18:57:42 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-10-29 18:52:48 +0000 bhyve: validate corb->wp to avoid infinite loop Guests must set HDAC_CORBWP less than corb->size. Treat invalid values as an error rather than entering an infinite loop. Reported by: Synacktiv Reviewed by: markj Security: HYP-12 Security: FreeBSD-SA-24:17.bhyve Approved by: so Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46134 (cherry picked from commit a305f44d1404fbf386bb2b50ab7233ce9eabe0bb) (cherry picked from commit 6a645bb3535cb73b1f20db652c9e3893f26a986e) (cherry picked from commit 867aaad5c2bfdd8326fc805964e711ccfbb18d1e) --- usr.sbin/bhyve/pci_hda.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr.sbin/bhyve/pci_hda.c b/usr.sbin/bhyve/pci_hda.c index 7d824d7a1fd8..fd47abebaa42 100644 --- a/usr.sbin/bhyve/pci_hda.c +++ b/usr.sbin/bhyve/pci_hda.c @@ -787,6 +787,11 @@ hda_corb_run(struct hda_softc *sc) int err; corb->wp = hda_get_reg_by_offset(sc, HDAC_CORBWP); + if (corb->wp >= corb->size) { + DPRINTF("Invalid HDAC_CORBWP %u >= size %u", corb->wp, + corb->size); + return (-1); + } while (corb->rp != corb->wp && corb->run) { corb->rp++;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202410291853.49TIrcQQ035125>