[Bug 264582] bhyve: hda_send_command() can index beyond the end of sc->codecs[]
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264582 --- Comment #1 from commit-h...@freebsd.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=cf57f20edcf9c75f0f9f1ac1c44729184970b9d9 commit cf57f20edcf9c75f0f9f1ac1c44729184970b9d9 Author: John Baldwin AuthorDate: 2023-01-20 17:58:38 + Commit: John Baldwin CommitDate: 2023-01-20 17:58:38 + bhyve: Fix a buffer overread in the PCI hda device model. The sc->codecs array contains HDA_CODEC_MAX (15) entries. The guest-supplied cad field in the verb provided to hda_send_command is a 4-bit field that was used as an index into sc->codecs without any bounds checking. The highest value (15) would overflow the array. Other uses of sc->codecs in the device model used sc->codecs_no to determine which array indices have been initialized, so use a similar check to reject requests for uninitialized or invalid cad indices in hda_send_command. PR: 264582 Reported by:Robert Morris Reviewed by:corvink, markj, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38128 usr.sbin/bhyve/pci_hda.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 264435] bhyve: hda_write() can index (and jump) beyond end of array
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264435 --- Comment #2 from commit-h...@freebsd.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=bfe8e339eb77910c2eb739b45aaa936148b33897 commit bfe8e339eb77910c2eb739b45aaa936148b33897 Author: John Baldwin AuthorDate: 2023-01-20 17:57:45 + Commit: John Baldwin CommitDate: 2023-01-20 17:57:45 + bhyve: Fix a global buffer overread in the PCI hda device model. hda_write did not validate the relative register offset before using it as an index into the hda_set_reg_table array to lookup a function pointer to execute after updating the register's value. PR: 264435 Reported by:Robert Morris Reviewed by:corvink, markj, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38127 usr.sbin/bhyve/pci_hda.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.
[Bug 264435] bhyve: hda_write() can index (and jump) beyond end of array
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264435 Ed Maste changed: What|Removed |Added Assignee|virtualization@FreeBSD.org |j...@freebsd.org Status|Open|In Progress -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.
[Bug 264521] bhyve: pci_vtscsi_request_handle() can read beyond allocated heap object
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264521 Ed Maste changed: What|Removed |Added Status|Open|Closed Resolution|--- |FIXED --- Comment #7 from Ed Maste --- Committed and merged to stable branches -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 264582] bhyve: hda_send_command() can index beyond the end of sc->codecs[]
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264582 Ed Maste changed: What|Removed |Added Assignee|virtualization@FreeBSD.org |j...@freebsd.org CC||ema...@freebsd.org Status|Open|In Progress -- You are receiving this mail because: You are the assignee for the bug.
[Bug 264177] bhyve: Guest can cause a crash in bhyve nvme emulation
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264177 Ed Maste changed: What|Removed |Added CC||ema...@freebsd.org Status|In Progress |Closed Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 221074] Hyper V Gen 2 install has no mouse
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221074 Yuri changed: What|Removed |Added CC||y...@aetern.org --- Comment #31 from Yuri --- (In reply to Vladimir Kondratyev from comment #16) I have put together a stub hv_ms driver (code copied and modified from hv_kbd). As it is, it does nothing other than spamming the console on mouse events. If this works for you, feel free to "commandeer" the review. https://reviews.freebsd.org/D38140 -- You are receiving this mail because: You are the assignee for the bug.
[Bug 221074] Hyper V Gen 2 install has no mouse
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221074 Graham Perrin changed: What|Removed |Added Status|New |Open See Also||https://reviews.freebsd.org ||/D38140 -- You are receiving this mail because: You are the assignee for the bug.
