HomeFreeBSD

bhyve: improve bounds checks in hda_codec

Description

bhyve: improve bounds checks in hda_codec

The function hda_codec_command is vulnerable to buffer over-read, the
payload value is extracted from the command and used as an array index
without any validation.
Fortunately, the payload value is capped at 255, so the information
disclosure is limited and only a small part of .rodata of bhyve binary
can be disclosed.

The risk is low because the leaked information is not sensitive. An
attacker may be able to validate the version of the bhyve binary using
this information disclosure (layout of .rodata information, ex:
jmp_tables) before executing an exploit.

Reported by: Synacktiv
Reviewed by: christos, emaste
Security: HYP-13
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46098

(cherry picked from commit e94a1d6a7f2eb932850e1db418bf34d5c6991ce8)
(cherry picked from commit 757bbf484c0bab2c4c7b504017079cceb833f7ae)

Details

Provenance
khorben_defora.orgAuthored on Jul 24 2024, 2:56 PM
emasteCommitted on Tue, Oct 29, 6:43 PM
Reviewer
christos
Differential Revision
Restricted Differential Revision
Parents
rG6acac2ca9aa1: bhyve: validate corb->wp to avoid infinite loop
Branches
Unknown
Tags
Unknown