git: 127f37c9b32d - releng/13.3 - bhyve: validate corb->wp to avoid infinite loop
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 29 Oct 2024 18:53:38 UTC
The branch releng/13.3 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=127f37c9b32da806539ccab71347e2dfc30b50f2
commit 127f37c9b32da806539ccab71347e2dfc30b50f2
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-09-19 18:57:42 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-29 18:52:48 +0000
bhyve: validate corb->wp to avoid infinite loop
Guests must set HDAC_CORBWP less than corb->size. Treat invalid values
as an error rather than entering an infinite loop.
Reported by: Synacktiv
Reviewed by: markj
Security: HYP-12
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46134
(cherry picked from commit a305f44d1404fbf386bb2b50ab7233ce9eabe0bb)
(cherry picked from commit 6a645bb3535cb73b1f20db652c9e3893f26a986e)
(cherry picked from commit 867aaad5c2bfdd8326fc805964e711ccfbb18d1e)
---
usr.sbin/bhyve/pci_hda.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/usr.sbin/bhyve/pci_hda.c b/usr.sbin/bhyve/pci_hda.c
index 7d824d7a1fd8..fd47abebaa42 100644
--- a/usr.sbin/bhyve/pci_hda.c
+++ b/usr.sbin/bhyve/pci_hda.c
@@ -787,6 +787,11 @@ hda_corb_run(struct hda_softc *sc)
int err;
corb->wp = hda_get_reg_by_offset(sc, HDAC_CORBWP);
+ if (corb->wp >= corb->size) {
+ DPRINTF("Invalid HDAC_CORBWP %u >= size %u", corb->wp,
+ corb->size);
+ return (-1);
+ }
while (corb->rp != corb->wp && corb->run) {
corb->rp++;