bhyve: improve bounds checks in hda_codec

The function hda_codec_command is vulnerable to buffer over-read, the payload value is extracted from the command and used as an array index without any validation. Fortunately, the payload value is capped at 255, so the information disclosure is limited and only a small part of .rodata of bhyve binary can be disclosed. The risk is low because the leaked information is not sensitive. An attacker may be able to validate the version of the bhyve binary using this information disclosure (layout of .rodata information, ex: jmp_tables) before executing an exploit. Reported by: Synacktiv Reviewed by: christos, emaste Security: HYP-13 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46098 (cherry picked from commit e94a1d6a7f2eb932850e1db418bf34d5c6991ce8)
2026-02-18 18:20:26 -05:00 · 2024-07-24 16:56:54 +02:00 · 2024-07-24 16:56:54 +02:00 · 757bbf484c
commit 757bbf484c
parent f8db6fb90e
1 changed files with 6 additions and 3 deletions
--- a/usr.sbin/bhyve/hda_codec.c
+++ b/usr.sbin/bhyve/hda_codec.c
@ -521,7 +521,6 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data)
 		payload = cmd_data & 0xffff;
 	}

-	assert(cad == hci->cad);
 	assert(hci);

 	hops = hci->hops;
@ -530,7 +529,10 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data)
 	sc = (struct hda_codec_softc *)hci->priv;
 	assert(sc);

-	assert(nid < sc->no_nodes);
+	if (cad != hci->cad || nid >= sc->no_nodes) {
+		DPRINTF("Invalid command data");
+		return (-1);
+	}

 	if (!hops->response) {
 		DPRINTF("The controller ops does not implement \
@ -540,7 +542,8 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data)

 	switch (verb) {
 	case HDA_CMD_VERB_GET_PARAMETER:
-		res = sc->get_parameters[nid][payload];
+		if (payload < HDA_CODEC_PARAMS_COUNT)
+			res = sc->get_parameters[nid][payload];
 		break;
 	case HDA_CMD_VERB_GET_CONN_LIST_ENTRY:
 		res = sc->conn_list[nid][0];