From 9ceccb0b829a1d00928bdeabf78331bc42e3ebbe Mon Sep 17 00:00:00 2001
From: Gordon Tetlow <gordon@FreeBSD.org>
Date: Tue, 4 Dec 2018 18:45:45 +0000
Subject: [PATCH] Publish FreeBSD-SA-18:14.bhyve.

Approved by:	so
---
 .../advisories/FreeBSD-SA-18:14.bhyve.asc     | 133 ++++++++++++++++++
 share/security/patches/SA-18:14/bhyve.patch   |  97 +++++++++++++
 .../security/patches/SA-18:14/bhyve.patch.asc |  18 +++
 share/xml/advisories.xml                      |  13 ++
 4 files changed, 261 insertions(+)
 create mode 100644 share/security/advisories/FreeBSD-SA-18:14.bhyve.asc
 create mode 100644 share/security/patches/SA-18:14/bhyve.patch
 create mode 100644 share/security/patches/SA-18:14/bhyve.patch.asc

diff --git a/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc b/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc
new file mode 100644
index 0000000000..5ea9e916b5
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc
@@ -0,0 +1,133 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:14.bhyve                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Insufficient bounds checking in bhyve(8) device model
+
+Category:       core
+Module:         bhyve
+Announced:      2018-12-04
+Credits:        Reno Robert
+Affects:        All supported versions of FreeBSD.
+Corrected:      2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE)
+                2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6)
+CVE Name:       CVE-2018-17160
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The bhyve hypervisor uses the bhyve(8) program to emulate support for most
+virtual devices used by guest operating systems.
+
+II.  Problem Description
+
+Insufficient bounds checking in one of the device models provided by bhyve(8)
+can permit a guest operating system to overwrite memory in the bhyve(8)
+processing possibly permitting arbitary code execution.
+
+III. Impact
+
+A guest OS using a firmware image can cause the bhyve process to crash, or
+possibly execute arbitrary code on the host as root.
+
+IV.  Workaround
+
+The device model in question is only enabled when booting guests with a
+firmware image such as the UEFI images from the bhyve-firmware package.
+Guests booted using bhyveload(8) or grub2-bhyve are not affected.  Guests
+using operating systems supported by bhyveload(8) or grub2-bhyve can be
+booted using these tools as a workaround.
+
+No workaround is available for guest operating systems such as Windows that
+require a firmware image.
+
+V.   Solution
+
+Perform one of the following:
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, restart guests using firmware images.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Afterward, restart guests using firmware images.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/11/                                                        r341486
+releng/11.2/                                                      r341488
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:14.bhyve.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3
+nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg
+3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv
+9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9
+rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR
+AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt
+jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx
+MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68
+vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc
+fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ8PECJ+r0X5bhkzW
+Ymlksu/HprW4tFLCdD4mB7lewvr3qpmoRoS1KwgMoXnRKzPbGsc=
+=4zGb
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-18:14/bhyve.patch b/share/security/patches/SA-18:14/bhyve.patch
new file mode 100644
index 0000000000..4dae99046f
--- /dev/null
+++ b/share/security/patches/SA-18:14/bhyve.patch
@@ -0,0 +1,97 @@
+--- usr.sbin/bhyve/fwctl.c.orig
++++ usr.sbin/bhyve/fwctl.c
+@@ -79,8 +79,8 @@
+ 
+ struct op_info {
+ 	int op;
+-	int  (*op_start)(int len);
+-	void (*op_data)(uint32_t data, int len);
++	int  (*op_start)(uint32_t len);
++	void (*op_data)(uint32_t data, uint32_t len);
+ 	int  (*op_result)(struct iovec **data);
+ 	void (*op_done)(struct iovec *data);
+ };
+@@ -119,7 +119,7 @@
+ }
+ 
+ static int
+-errop_start(int len)
++errop_start(uint32_t len)
+ {
+ 	errop_code = ENOENT;
+ 
+@@ -128,7 +128,7 @@
+ }
+ 
+ static void
+-errop_data(uint32_t data, int len)
++errop_data(uint32_t data, uint32_t len)
+ {
+ 
+ 	/* ignore */
+@@ -188,7 +188,7 @@
+ static size_t fget_size;
+ 
+ static int
+-fget_start(int len)
++fget_start(uint32_t len)
+ {
+ 
+ 	if (len > FGET_STRSZ)
+@@ -200,7 +200,7 @@
+ }
+ 
+ static void
+-fget_data(uint32_t data, int len)
++fget_data(uint32_t data, uint32_t len)
+ {
+ 
+ 	*((uint32_t *) &fget_str[fget_cnt]) = data;
+@@ -285,8 +285,8 @@
+ 	struct op_info *req_op;
+ 	int	 resp_error;
+ 	int	 resp_count;
+-	int	 resp_size;
+-	int	 resp_off;
++	size_t	 resp_size;
++	size_t	 resp_off;
+ 	struct iovec *resp_biov;
+ } rinfo;
+ 
+@@ -346,13 +346,14 @@
+ static int
+ fwctl_request_data(uint32_t value)
+ {
+-	int remlen;
+ 
+ 	/* Make sure remaining size is >= 0 */
+-	rinfo.req_size -= sizeof(uint32_t);
+-	remlen = MAX(rinfo.req_size, 0);
++	if (rinfo.req_size <= sizeof(uint32_t))
++		rinfo.req_size = 0;
++	else
++		rinfo.req_size -= sizeof(uint32_t);
+ 
+-	(*rinfo.req_op->op_data)(value, remlen);
++	(*rinfo.req_op->op_data)(value, rinfo.req_size);
+ 
+ 	if (rinfo.req_size < sizeof(uint32_t)) {
+ 		fwctl_request_done();
+@@ -401,7 +402,7 @@
+ fwctl_response(uint32_t *retval)
+ {
+ 	uint32_t *dp;
+-	int remlen;
++	ssize_t remlen;
+ 
+ 	switch(rinfo.resp_count) {
+ 	case 0:
+@@ -436,7 +437,7 @@
+ 	}
+ 
+ 	if (rinfo.resp_count > 3 &&
+-	    rinfo.resp_size - rinfo.resp_off <= 0) {
++	    rinfo.resp_off >= rinfo.resp_size) {
+ 		fwctl_response_done();
+ 		return (1);
+ 	}
diff --git a/share/security/patches/SA-18:14/bhyve.patch.asc b/share/security/patches/SA-18:14/bhyve.patch.asc
new file mode 100644
index 0000000000..09e586c4cd
--- /dev/null
+++ b/share/security/patches/SA-18:14/bhyve.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGymNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJzbw//cA11jv1m7gHMt4lxFwjQYxEO+WvLXZWvPv+69sCMnx++3B22bx9ppYgR
+DSTE3bdIod9qPbVt8DCgMIP5M1txy4a9WfXUy0UnNPy4Q8Kc91oztGQD4x5ne06M
+sluBUK5fhEFwyYiwlzS0JbUH7JXQ3WNrbyuk9eyegPVijFmmuv71hNCs2QUA0gxl
+XDbGg3xmfhkIYdVNVj+yp+kUCNaphe0GV4SeY2n3SrdUPePJnSyXGMFbPHtn8eJP
+fqE4KaaOfGy1xehzdLnfGWK52n/VIpWoLLNP+7xeNyL1eJ8loAMTY06rbQufKq0H
+BQKvd288RrIAESKHyCGsrb1KEruVPqQ3USO2LEB9IJrMpAiNSmjHa5M/u+KjMv6C
+VSSAIiyDPu0XlCC5PaPeGoCb2d1RbVQqgiIi6/am6bxOWtMI5hZgcbrGywlZCM18
+JC0KnINEGwMh2P6ObOnFOuZmn6g7QPTTkSeZkKqsfsV2UQ2cRvfRGvaEl3oov2LZ
+PpIYJQhOHhU+HrjZC6HyV+lQ9xlWMzsy94/oTyr8C2Dp7rAD3KbZSdAvgRfONkgk
+Ht3+sniufuFpYa2dmUmHyYjvkw7ERwPaIA69hIPMylR/+QTwFsloCBgccB/lu/At
+uet8vayiEEMo1TKk+LVt9HsVMcg6ZizKq+emAuxssb34QejcSj4=
+=4eUb
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index 2ea14b93f4..8e4b4f8a6a 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -7,6 +7,19 @@
   <year>
     <name>2018</name>
 
+    <month>
+      <name>12</name>
+
+      <day>
+	<name>04</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-18:14.bhyve</name>
+	</advisory>
+
+      </day>
+    </month>
+
     <month>
       <name>11</name>