Diffusion FreeBSD src repository e94a1d6a7f2e

bhyve: improve bounds checks in hda_codec
e94a1d6a7f2e
Actions

Description

bhyve: improve bounds checks in hda_codec

The function hda_codec_command is vulnerable to buffer over-read, the
payload value is extracted from the command and used as an array index
without any validation.
Fortunately, the payload value is capped at 255, so the information
disclosure is limited and only a small part of .rodata of bhyve binary
can be disclosed.

The risk is low because the leaked information is not sensitive. An
attacker may be able to validate the version of the bhyve binary using
this information disclosure (layout of .rodata information, ex:
jmp_tables) before executing an exploit.

Reported by: Synacktiv
Reviewed by: christos, emaste
Security: HYP-13
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46098

Details

Provenance

khorben_defora.org	Authored on Jul 24 2024, 2:56 PM
emaste	Committed on Thu, Oct 3, 9:14 PM

Reviewer

christos

Differential Revision

Restricted Differential Revision

Parents

rGfd3d13678e9e: sglist.9: fix typo

Branches

Unknown

Tags

Unknown

Event Timeline

emaste committed rGe94a1d6a7f2e: bhyve: improve bounds checks in hda_codec (authored by khorben_defora.org).Thu, Oct 3, 9:14 PM

emaste added an edge: Restricted Differential Revision.Thu, Oct 3, 9:16 PM

Changes (1)

Path

Size

usr.sbin/

bhyve/

hda_codec.c

rGe94a1d6a7f2e

View Options

usr.sbin/bhyve/hda_codec.c