bhyve: improve bounds checks in hda_codec

The function hda_codec_command is vulnerable to buffer over-read, the
payload value is extracted from the command and used as an array index
without any validation.
Fortunately, the payload value is capped at 255, so the information
disclosure is limited and only a small part of .rodata of bhyve binary
can be disclosed.

The risk is low because the leaked information is not sensitive. An
attacker may be able to validate the version of the bhyve binary using
this information disclosure (layout of .rodata information, ex:
jmp_tables) before executing an exploit.

Reported by:	Synacktiv
Reviewed by:	christos, emaste
Security:	HYP-13
Sponsored by:	The Alpha-Omega Project
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D46098

1 files changed, 6 insertions, 3 deletions

diff --git a/usr.sbin/bhyve/hda_codec.c b/usr.sbin/bhyve/hda_codec.c
index 1866149c020a..b7d6ec043675 100644
--- a/usr.sbin/bhyve/hda_codec.c
+++ b/usr.sbin/bhyve/hda_codec.c
@@ -521,7 +521,6 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data)
 		payload = cmd_data & 0xffff;
 	}
 
-	assert(cad == hci->cad);
 	assert(hci);
 
 	hops = hci->hops;
@@ -530,7 +529,10 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data)
 	sc = (struct hda_codec_softc *)hci->priv;
 	assert(sc);
 
-	assert(nid < sc->no_nodes);
+	if (cad != hci->cad || nid >= sc->no_nodes) {
+		DPRINTF("Invalid command data");
+		return (-1);
+	}
 
 	if (!hops->response) {
 		DPRINTF("The controller ops does not implement \
@@ -540,7 +542,8 @@ hda_codec_command(struct hda_codec_inst *hci, uint32_t cmd_data)
 
 	switch (verb) {
 	case HDA_CMD_VERB_GET_PARAMETER:
-		res = sc->get_parameters[nid][payload];
+		if (payload < HDA_CODEC_PARAMS_COUNT)
+			res = sc->get_parameters[nid][payload];
 		break;
 	case HDA_CMD_VERB_GET_CONN_LIST_ENTRY:
 		res = sc->conn_list[nid][0];