[Bug 264435] bhyve hda_write() can index (and jump) beyond end of array

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 03 Jun 2022 15:01:27 UTC

            Bug ID: 264435
           Summary: bhyve hda_write() can index (and jump) beyond end of
           Product: Base System
           Version: Unspecified
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bhyve
          Assignee: virtualization@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

In this from Bhyve's pci_hda.c:

static int
hda_write(struct hda_softc *sc, uint32_t offset, uint8_t size, uint32_t value)
        uint32_t old = hda_get_reg_by_offset(sc, offset);
        hda_set_reg_handler set_reg_handler = hda_set_reg_table[offset];
        if (set_reg_handler)
                set_reg_handler(sc, offset, old);

hda_set_reg_table[] has 385 entries. The guest gets to specify offset,
and it can be up to 8580 (HDA_LAST_OFFSET, enforced in
hda_get_reg_by_offset). So a malicious guest has a bunch of options
for where the call to set_reg_handler() can end up.

You can demo this by adding

    HDAC_WRITE_4(&sc->mem, 0x4a4, 0x0);

at the start of hdac_reset() in /sys/dev/sound/pci/hda/hdac.c
and booting the resulting guest kernel on Bhyve.

You are receiving this mail because:
You are the assignee for the bug.