diff options
author | John Baldwin <jhb@FreeBSD.org> | 2023-01-20 17:58:38 +0000 |
---|---|---|
committer | John Baldwin <jhb@FreeBSD.org> | 2023-01-20 17:58:38 +0000 |
commit | cf57f20edcf9c75f0f9f1ac1c44729184970b9d9 (patch) | |
tree | 0bb18206121f482bdd2933ac61861b145c55f9e3 /usr.sbin | |
parent | bfe8e339eb77910c2eb739b45aaa936148b33897 (diff) | |
download | src-cf57f20edcf9c75f0f9f1ac1c44729184970b9d9.tar.gz src-cf57f20edcf9c75f0f9f1ac1c44729184970b9d9.zip |
bhyve: Fix a buffer overread in the PCI hda device model.
The sc->codecs array contains HDA_CODEC_MAX (15) entries. The
guest-supplied cad field in the verb provided to hda_send_command is a
4-bit field that was used as an index into sc->codecs without any
bounds checking. The highest value (15) would overflow the array.
Other uses of sc->codecs in the device model used sc->codecs_no to
determine which array indices have been initialized, so use a similar
check to reject requests for uninitialized or invalid cad indices in
hda_send_command.
PR: 264582
Reported by: Robert Morris <rtm@lcs.mit.edu>
Reviewed by: corvink, markj, emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38128
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/bhyve/pci_hda.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/usr.sbin/bhyve/pci_hda.c b/usr.sbin/bhyve/pci_hda.c index bb8fba1a54bb..9e9d7ab5a626 100644 --- a/usr.sbin/bhyve/pci_hda.c +++ b/usr.sbin/bhyve/pci_hda.c @@ -475,12 +475,14 @@ hda_send_command(struct hda_softc *sc, uint32_t verb) struct hda_codec_class *codec = NULL; uint8_t cad = (verb >> HDA_CMD_CAD_SHIFT) & 0x0f; - hci = sc->codecs[cad]; - if (!hci) + if (cad >= sc->codecs_no) return (-1); DPRINTF("cad: 0x%x verb: 0x%x", cad, verb); + hci = sc->codecs[cad]; + assert(hci); + codec = hci->codec; assert(codec); |