Date: Tue, 4 Dec 2018 18:45:45 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52569 - in head/share: security/advisories security/patches/SA-18:14 xml Message-ID: <201812041845.wB4IjjfN090846@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon (src,ports committer) Date: Tue Dec 4 18:45:45 2018 New Revision: 52569 URL: https://svnweb.freebsd.org/changeset/doc/52569 Log: Publish FreeBSD-SA-18:14.bhyve. Approved by: so Added: head/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc (contents, props changed) head/share/security/patches/SA-18:14/ head/share/security/patches/SA-18:14/bhyve.patch (contents, props changed) head/share/security/patches/SA-18:14/bhyve.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc Tue Dec 4 18:45:45 2018 (r52569) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:14.bhyve Security Advisory + The FreeBSD Project + +Topic: Insufficient bounds checking in bhyve(8) device model + +Category: core +Module: bhyve +Announced: 2018-12-04 +Credits: Reno Robert +Affects: All supported versions of FreeBSD. +Corrected: 2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE) + 2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6) +CVE Name: CVE-2018-17160 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The bhyve hypervisor uses the bhyve(8) program to emulate support for most +virtual devices used by guest operating systems. + +II. Problem Description + +Insufficient bounds checking in one of the device models provided by bhyve(8) +can permit a guest operating system to overwrite memory in the bhyve(8) +processing possibly permitting arbitary code execution. + +III. Impact + +A guest OS using a firmware image can cause the bhyve process to crash, or +possibly execute arbitrary code on the host as root. + +IV. Workaround + +The device model in question is only enabled when booting guests with a +firmware image such as the UEFI images from the bhyve-firmware package. +Guests booted using bhyveload(8) or grub2-bhyve are not affected. Guests +using operating systems supported by bhyveload(8) or grub2-bhyve can be +booted using these tools as a workaround. + +No workaround is available for guest operating systems such as Windows that +require a firmware image. + +V. Solution + +Perform one of the following: + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, restart guests using firmware images. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Afterward, restart guests using firmware images. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r341486 +releng/11.2/ r341488 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:14.bhyve.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3 +nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg +3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv +9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9 +rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR +AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt +jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx +MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68 +vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc +fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ8PECJ+r0X5bhkzW +Ymlksu/HprW4tFLCdD4mB7lewvr3qpmoRoS1KwgMoXnRKzPbGsc= +=4zGb +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-18:14/bhyve.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:14/bhyve.patch Tue Dec 4 18:45:45 2018 (r52569) @@ -0,0 +1,97 @@ +--- usr.sbin/bhyve/fwctl.c.orig ++++ usr.sbin/bhyve/fwctl.c +@@ -79,8 +79,8 @@ + + struct op_info { + int op; +- int (*op_start)(int len); +- void (*op_data)(uint32_t data, int len); ++ int (*op_start)(uint32_t len); ++ void (*op_data)(uint32_t data, uint32_t len); + int (*op_result)(struct iovec **data); + void (*op_done)(struct iovec *data); + }; +@@ -119,7 +119,7 @@ + } + + static int +-errop_start(int len) ++errop_start(uint32_t len) + { + errop_code = ENOENT; + +@@ -128,7 +128,7 @@ + } + + static void +-errop_data(uint32_t data, int len) ++errop_data(uint32_t data, uint32_t len) + { + + /* ignore */ +@@ -188,7 +188,7 @@ + static size_t fget_size; + + static int +-fget_start(int len) ++fget_start(uint32_t len) + { + + if (len > FGET_STRSZ) +@@ -200,7 +200,7 @@ + } + + static void +-fget_data(uint32_t data, int len) ++fget_data(uint32_t data, uint32_t len) + { + + *((uint32_t *) &fget_str[fget_cnt]) = data; +@@ -285,8 +285,8 @@ + struct op_info *req_op; + int resp_error; + int resp_count; +- int resp_size; +- int resp_off; ++ size_t resp_size; ++ size_t resp_off; + struct iovec *resp_biov; + } rinfo; + +@@ -346,13 +346,14 @@ + static int + fwctl_request_data(uint32_t value) + { +- int remlen; + + /* Make sure remaining size is >= 0 */ +- rinfo.req_size -= sizeof(uint32_t); +- remlen = MAX(rinfo.req_size, 0); ++ if (rinfo.req_size <= sizeof(uint32_t)) ++ rinfo.req_size = 0; ++ else ++ rinfo.req_size -= sizeof(uint32_t); + +- (*rinfo.req_op->op_data)(value, remlen); ++ (*rinfo.req_op->op_data)(value, rinfo.req_size); + + if (rinfo.req_size < sizeof(uint32_t)) { + fwctl_request_done(); +@@ -401,7 +402,7 @@ + fwctl_response(uint32_t *retval) + { + uint32_t *dp; +- int remlen; ++ ssize_t remlen; + + switch(rinfo.resp_count) { + case 0: +@@ -436,7 +437,7 @@ + } + + if (rinfo.resp_count > 3 && +- rinfo.resp_size - rinfo.resp_off <= 0) { ++ rinfo.resp_off >= rinfo.resp_size) { + fwctl_response_done(); + return (1); + } Added: head/share/security/patches/SA-18:14/bhyve.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:14/bhyve.patch.asc Tue Dec 4 18:45:45 2018 (r52569) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGymNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJzbw//cA11jv1m7gHMt4lxFwjQYxEO+WvLXZWvPv+69sCMnx++3B22bx9ppYgR +DSTE3bdIod9qPbVt8DCgMIP5M1txy4a9WfXUy0UnNPy4Q8Kc91oztGQD4x5ne06M +sluBUK5fhEFwyYiwlzS0JbUH7JXQ3WNrbyuk9eyegPVijFmmuv71hNCs2QUA0gxl +XDbGg3xmfhkIYdVNVj+yp+kUCNaphe0GV4SeY2n3SrdUPePJnSyXGMFbPHtn8eJP +fqE4KaaOfGy1xehzdLnfGWK52n/VIpWoLLNP+7xeNyL1eJ8loAMTY06rbQufKq0H +BQKvd288RrIAESKHyCGsrb1KEruVPqQ3USO2LEB9IJrMpAiNSmjHa5M/u+KjMv6C +VSSAIiyDPu0XlCC5PaPeGoCb2d1RbVQqgiIi6/am6bxOWtMI5hZgcbrGywlZCM18 +JC0KnINEGwMh2P6ObOnFOuZmn6g7QPTTkSeZkKqsfsV2UQ2cRvfRGvaEl3oov2LZ +PpIYJQhOHhU+HrjZC6HyV+lQ9xlWMzsy94/oTyr8C2Dp7rAD3KbZSdAvgRfONkgk +Ht3+sniufuFpYa2dmUmHyYjvkw7ERwPaIA69hIPMylR/+QTwFsloCBgccB/lu/At +uet8vayiEEMo1TKk+LVt9HsVMcg6ZizKq+emAuxssb34QejcSj4= +=4eUb +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Dec 4 18:45:07 2018 (r52568) +++ head/share/xml/advisories.xml Tue Dec 4 18:45:45 2018 (r52569) @@ -8,6 +8,19 @@ <name>2018</name> <month> + <name>12</name> + + <day> + <name>04</name> + + <advisory> + <name>FreeBSD-SA-18:14.bhyve</name> + </advisory> + + </day> + </month> + + <month> <name>11</name> <day>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812041845.wB4IjjfN090846>