[Bug 264582] bhyve's hda_send_command() can index beyond the end of sc->codecs[]

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264582] bhyve: hda_send_command() can index beyond the end of sc->codecs[]"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264582] bhyve: hda_send_command() can index beyond the end of sc->codecs[]"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264582] bhyve: hda_send_command() can index beyond the end of sc->codecs[]"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 264582] bhyve: hda_send_command() can index beyond the end of sc->codecs[]"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 09 Jun 2022 23:19:49 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264582

            Bug ID: 264582
           Summary: bhyve's hda_send_command() can index beyond the end of
                    sc->codecs[]
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bhyve
          Assignee: virtualization@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

The guest specifies cad as a 4-bit field in verb, and thus can arrange
for cad to be 15:

hda_send_command(struct hda_softc *sc, uint32_t verb)
{
        struct hda_codec_inst *hci = NULL;
        struct hda_codec_class *codec = NULL;
        uint8_t cad = (verb >> HDA_CMD_CAD_SHIFT) & 0x0f;

        hci = sc->codecs[cad];

But codecs[] has length 15 (HDA_CODEC_MAX).

-- 
You are receiving this mail because:
You are the assignee for the bug.