VirtualBox

Opened 20 months ago

#21474 new defect

Global buffer overflow in hdaMmioWrite()

Reported by: cyruscyliu Owned by:
Component: audio Version: VirtualBox-7.0.6
Keywords: Cc:
Guest type: Linux Host type: Linux

Description

When issuing mmio_writeb(0x2146, 0xc2), cbBefore[1] can be too large for g_afMasks[2], which only has five elements.

static DECLCALLBACK(VBOXSTRICTRC) hdaMmioWrite(PPDMDEVINS pDevIns, void *pvUser, RTGCPHYS off, void const *pv, unsigned cb) {
    // ...
    idxRegDsc = hdaR3RegLookupWithin(off);
    if (idxRegDsc != -1)
    {
        uint32_t const cbBefore = (uint32_t)off - g_aHdaRegMap[idxRegDsc].off; // [1]
        Assert(cbBefore > 0 && cbBefore < 4);
        off      -= cbBefore;
        idxRegMem = g_aHdaRegMap[idxRegDsc].idxReg;
        u64Value <<= cbBefore * 8;
        u64Value  |= pThis->au32Regs[idxRegMem] & g_afMasks[cbBefore]; // ------> [2]

Attachments (3)

intel-hda-00.backtrace (6.0 KB ) - added by cyruscyliu 20 months ago.
backtrace
userspace_program.c (3.1 KB ) - added by cyruscyliu 20 months ago.
poc
hda-00 (14.0 KB ) - added by cyruscyliu 20 months ago.
poc (binary) (runable on Ubuntu)

Download all attachments as: .zip

Change History (3)

by cyruscyliu, 20 months ago

Attachment: intel-hda-00.backtrace added

backtrace

by cyruscyliu, 20 months ago

Attachment: userspace_program.c added

poc

by cyruscyliu, 20 months ago

Attachment: hda-00 added

poc (binary) (runable on Ubuntu)

Note: See TracTickets for help on using tickets.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy