bhyve: Fix a buffer overread in the PCI hda device model.

The sc->codecs array contains HDA_CODEC_MAX (15) entries. The guest-supplied cad field in the verb provided to hda_send_command is a 4-bit field that was used as an index into sc->codecs without any bounds checking. The highest value (15) would overflow the array. Other uses of sc->codecs in the device model used sc->codecs_no to determine which array indices have been initialized, so use a similar check to reject requests for uninitialized or invalid cad indices in hda_send_command. PR: 264582 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: corvink, markj, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38128
2023-01-20 09:58:38 -08:00 · 2023-01-20 09:58:38 -08:00 · cf57f20edc
commit cf57f20edc
parent bfe8e339eb
1 changed files with 4 additions and 2 deletions
--- a/usr.sbin/bhyve/pci_hda.c
+++ b/usr.sbin/bhyve/pci_hda.c
@ -475,12 +475,14 @@ hda_send_command(struct hda_softc *sc, uint32_t verb)
 	struct hda_codec_class *codec = NULL;
 	uint8_t cad = (verb >> HDA_CMD_CAD_SHIFT) & 0x0f;

-	hci = sc->codecs[cad];
-	if (!hci)
+	if (cad >= sc->codecs_no)
 		return (-1);

 	DPRINTF("cad: 0x%x verb: 0x%x", cad, verb);

+	hci = sc->codecs[cad];
+	assert(hci);
+
 	codec = hci->codec;
 	assert(codec);