Publish FreeBSD-SA-18:14.bhyve.
Approved by: so
This commit is contained in:
parent
88c808a52a
commit
9ceccb0b82
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=52569
4 changed files with 261 additions and 0 deletions
133
share/security/advisories/FreeBSD-SA-18:14.bhyve.asc
Normal file
133
share/security/advisories/FreeBSD-SA-18:14.bhyve.asc
Normal file
|
@ -0,0 +1,133 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-18:14.bhyve Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: Insufficient bounds checking in bhyve(8) device model
|
||||
|
||||
Category: core
|
||||
Module: bhyve
|
||||
Announced: 2018-12-04
|
||||
Credits: Reno Robert
|
||||
Affects: All supported versions of FreeBSD.
|
||||
Corrected: 2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE)
|
||||
2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6)
|
||||
CVE Name: CVE-2018-17160
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The bhyve hypervisor uses the bhyve(8) program to emulate support for most
|
||||
virtual devices used by guest operating systems.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
Insufficient bounds checking in one of the device models provided by bhyve(8)
|
||||
can permit a guest operating system to overwrite memory in the bhyve(8)
|
||||
processing possibly permitting arbitary code execution.
|
||||
|
||||
III. Impact
|
||||
|
||||
A guest OS using a firmware image can cause the bhyve process to crash, or
|
||||
possibly execute arbitrary code on the host as root.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
The device model in question is only enabled when booting guests with a
|
||||
firmware image such as the UEFI images from the bhyve-firmware package.
|
||||
Guests booted using bhyveload(8) or grub2-bhyve are not affected. Guests
|
||||
using operating systems supported by bhyveload(8) or grub2-bhyve can be
|
||||
booted using these tools as a workaround.
|
||||
|
||||
No workaround is available for guest operating systems such as Windows that
|
||||
require a firmware image.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
1) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
Afterward, restart guests using firmware images.
|
||||
|
||||
2) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc
|
||||
# gpg --verify bhyve.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Afterward, restart guests using firmware images.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/11/ r341486
|
||||
releng/11.2/ r341488
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:14.bhyve.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAAAAAALgAo
|
||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
||||
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
||||
5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3
|
||||
nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg
|
||||
3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv
|
||||
9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9
|
||||
rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR
|
||||
AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt
|
||||
jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx
|
||||
MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68
|
||||
vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc
|
||||
fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ8PECJ+r0X5bhkzW
|
||||
Ymlksu/HprW4tFLCdD4mB7lewvr3qpmoRoS1KwgMoXnRKzPbGsc=
|
||||
=4zGb
|
||||
-----END PGP SIGNATURE-----
|
97
share/security/patches/SA-18:14/bhyve.patch
Normal file
97
share/security/patches/SA-18:14/bhyve.patch
Normal file
|
@ -0,0 +1,97 @@
|
|||
--- usr.sbin/bhyve/fwctl.c.orig
|
||||
+++ usr.sbin/bhyve/fwctl.c
|
||||
@@ -79,8 +79,8 @@
|
||||
|
||||
struct op_info {
|
||||
int op;
|
||||
- int (*op_start)(int len);
|
||||
- void (*op_data)(uint32_t data, int len);
|
||||
+ int (*op_start)(uint32_t len);
|
||||
+ void (*op_data)(uint32_t data, uint32_t len);
|
||||
int (*op_result)(struct iovec **data);
|
||||
void (*op_done)(struct iovec *data);
|
||||
};
|
||||
@@ -119,7 +119,7 @@
|
||||
}
|
||||
|
||||
static int
|
||||
-errop_start(int len)
|
||||
+errop_start(uint32_t len)
|
||||
{
|
||||
errop_code = ENOENT;
|
||||
|
||||
@@ -128,7 +128,7 @@
|
||||
}
|
||||
|
||||
static void
|
||||
-errop_data(uint32_t data, int len)
|
||||
+errop_data(uint32_t data, uint32_t len)
|
||||
{
|
||||
|
||||
/* ignore */
|
||||
@@ -188,7 +188,7 @@
|
||||
static size_t fget_size;
|
||||
|
||||
static int
|
||||
-fget_start(int len)
|
||||
+fget_start(uint32_t len)
|
||||
{
|
||||
|
||||
if (len > FGET_STRSZ)
|
||||
@@ -200,7 +200,7 @@
|
||||
}
|
||||
|
||||
static void
|
||||
-fget_data(uint32_t data, int len)
|
||||
+fget_data(uint32_t data, uint32_t len)
|
||||
{
|
||||
|
||||
*((uint32_t *) &fget_str[fget_cnt]) = data;
|
||||
@@ -285,8 +285,8 @@
|
||||
struct op_info *req_op;
|
||||
int resp_error;
|
||||
int resp_count;
|
||||
- int resp_size;
|
||||
- int resp_off;
|
||||
+ size_t resp_size;
|
||||
+ size_t resp_off;
|
||||
struct iovec *resp_biov;
|
||||
} rinfo;
|
||||
|
||||
@@ -346,13 +346,14 @@
|
||||
static int
|
||||
fwctl_request_data(uint32_t value)
|
||||
{
|
||||
- int remlen;
|
||||
|
||||
/* Make sure remaining size is >= 0 */
|
||||
- rinfo.req_size -= sizeof(uint32_t);
|
||||
- remlen = MAX(rinfo.req_size, 0);
|
||||
+ if (rinfo.req_size <= sizeof(uint32_t))
|
||||
+ rinfo.req_size = 0;
|
||||
+ else
|
||||
+ rinfo.req_size -= sizeof(uint32_t);
|
||||
|
||||
- (*rinfo.req_op->op_data)(value, remlen);
|
||||
+ (*rinfo.req_op->op_data)(value, rinfo.req_size);
|
||||
|
||||
if (rinfo.req_size < sizeof(uint32_t)) {
|
||||
fwctl_request_done();
|
||||
@@ -401,7 +402,7 @@
|
||||
fwctl_response(uint32_t *retval)
|
||||
{
|
||||
uint32_t *dp;
|
||||
- int remlen;
|
||||
+ ssize_t remlen;
|
||||
|
||||
switch(rinfo.resp_count) {
|
||||
case 0:
|
||||
@@ -436,7 +437,7 @@
|
||||
}
|
||||
|
||||
if (rinfo.resp_count > 3 &&
|
||||
- rinfo.resp_size - rinfo.resp_off <= 0) {
|
||||
+ rinfo.resp_off >= rinfo.resp_size) {
|
||||
fwctl_response_done();
|
||||
return (1);
|
||||
}
|
18
share/security/patches/SA-18:14/bhyve.patch.asc
Normal file
18
share/security/patches/SA-18:14/bhyve.patch.asc
Normal file
|
@ -0,0 +1,18 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGymNfFIAAAAAALgAo
|
||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
||||
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
||||
5cJzbw//cA11jv1m7gHMt4lxFwjQYxEO+WvLXZWvPv+69sCMnx++3B22bx9ppYgR
|
||||
DSTE3bdIod9qPbVt8DCgMIP5M1txy4a9WfXUy0UnNPy4Q8Kc91oztGQD4x5ne06M
|
||||
sluBUK5fhEFwyYiwlzS0JbUH7JXQ3WNrbyuk9eyegPVijFmmuv71hNCs2QUA0gxl
|
||||
XDbGg3xmfhkIYdVNVj+yp+kUCNaphe0GV4SeY2n3SrdUPePJnSyXGMFbPHtn8eJP
|
||||
fqE4KaaOfGy1xehzdLnfGWK52n/VIpWoLLNP+7xeNyL1eJ8loAMTY06rbQufKq0H
|
||||
BQKvd288RrIAESKHyCGsrb1KEruVPqQ3USO2LEB9IJrMpAiNSmjHa5M/u+KjMv6C
|
||||
VSSAIiyDPu0XlCC5PaPeGoCb2d1RbVQqgiIi6/am6bxOWtMI5hZgcbrGywlZCM18
|
||||
JC0KnINEGwMh2P6ObOnFOuZmn6g7QPTTkSeZkKqsfsV2UQ2cRvfRGvaEl3oov2LZ
|
||||
PpIYJQhOHhU+HrjZC6HyV+lQ9xlWMzsy94/oTyr8C2Dp7rAD3KbZSdAvgRfONkgk
|
||||
Ht3+sniufuFpYa2dmUmHyYjvkw7ERwPaIA69hIPMylR/+QTwFsloCBgccB/lu/At
|
||||
uet8vayiEEMo1TKk+LVt9HsVMcg6ZizKq+emAuxssb34QejcSj4=
|
||||
=4eUb
|
||||
-----END PGP SIGNATURE-----
|
|
@ -7,6 +7,19 @@
|
|||
<year>
|
||||
<name>2018</name>
|
||||
|
||||
<month>
|
||||
<name>12</name>
|
||||
|
||||
<day>
|
||||
<name>04</name>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-18:14.bhyve</name>
|
||||
</advisory>
|
||||
|
||||
</day>
|
||||
</month>
|
||||
|
||||
<month>
|
||||
<name>11</name>
|
||||
|
||||
|
|
Loading…
Reference in a new issue