HomeFreeBSD
Diffusion FreeBSD src repository 757bbf484c0b

bhyve: improve bounds checks in hda_codec
757bbf484c0b
Actions

Description

bhyve: improve bounds checks in hda_codec

The function hda_codec_command is vulnerable to buffer over-read, the
payload value is extracted from the command and used as an array index
without any validation.
Fortunately, the payload value is capped at 255, so the information
disclosure is limited and only a small part of .rodata of bhyve binary
can be disclosed.

The risk is low because the leaked information is not sensitive. An
attacker may be able to validate the version of the bhyve binary using
this information disclosure (layout of .rodata information, ex:
jmp_tables) before executing an exploit.

Reported by: Synacktiv
Reviewed by: christos, emaste
Security: HYP-13
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46098

(cherry picked from commit e94a1d6a7f2eb932850e1db418bf34d5c6991ce8)

Details

Provenance
khorben_defora.orgAuthored on Jul 24 2024, 2:56 PM
emasteCommitted on Oct 6 2024, 3:04 PM
Reviewer
christos
Differential Revision
Restricted Differential Revision
Parents
rGf8db6fb90e73: vmm: avoid potential KASSERT kernel panic in vm_handle_db
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
usr.sbin/
bhyve/

rG757bbf484c0b

View Options

usr.sbin/bhyve/hda_codec.c

Loading...