bhyve: validate corb->wp to avoid infinite loop
Guests must set HDAC_CORBWP less than corb->size. Treat invalid values as an error rather than entering an infinite loop. Reported by: Synacktiv Reviewed by: markj Security: HYP-12 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46134
This commit is contained in:
@@ -788,6 +788,11 @@ hda_corb_run(struct hda_softc *sc)
|
||||
int err;
|
||||
|
||||
corb->wp = hda_get_reg_by_offset(sc, HDAC_CORBWP);
|
||||
if (corb->wp >= corb->size) {
|
||||
DPRINTF("Invalid HDAC_CORBWP %u >= size %u", corb->wp,
|
||||
corb->size);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
while (corb->rp != corb->wp && corb->run) {
|
||||
corb->rp++;
|
||||
|
||||
Reference in New Issue
Block a user