From a305f44d1404fbf386bb2b50ab7233ce9eabe0bb Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@FreeBSD.org>
Date: Thu, 19 Sep 2024 14:57:42 -0400
Subject: [PATCH] bhyve: validate corb->wp to avoid infinite loop

Guests must set HDAC_CORBWP less than corb->size.  Treat invalid values
as an error rather than entering an infinite loop.

Reported by:	Synacktiv
Reviewed by:	markj
Security:	HYP-12
Sponsored by:	The Alpha-Omega Project
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46134
---
 usr.sbin/bhyve/pci_hda.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/usr.sbin/bhyve/pci_hda.c b/usr.sbin/bhyve/pci_hda.c
index 8bd84a5113e..97d6264413e 100644
--- a/usr.sbin/bhyve/pci_hda.c
+++ b/usr.sbin/bhyve/pci_hda.c
@@ -788,6 +788,11 @@ hda_corb_run(struct hda_softc *sc)
 	int err;
 
 	corb->wp = hda_get_reg_by_offset(sc, HDAC_CORBWP);
+	if (corb->wp >= corb->size) {
+		DPRINTF("Invalid HDAC_CORBWP %u >= size %u", corb->wp,
+		    corb->size);
+		return (-1);
+	}
 
 	while (corb->rp != corb->wp && corb->run) {
 		corb->rp++;