svn commit: r52569 - in head/share: security/advisories security/patches/SA-18:14 xml
Gordon Tetlow
gordon at FreeBSD.org
Tue Dec 4 18:45:46 UTC 2018
Author: gordon (src,ports committer)
Date: Tue Dec 4 18:45:45 2018
New Revision: 52569
URL: https://svnweb.freebsd.org/changeset/doc/52569
Log:
Publish FreeBSD-SA-18:14.bhyve.
Approved by: so
Added:
head/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc (contents, props changed)
head/share/security/patches/SA-18:14/
head/share/security/patches/SA-18:14/bhyve.patch (contents, props changed)
head/share/security/patches/SA-18:14/bhyve.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc Tue Dec 4 18:45:45 2018 (r52569)
@@ -0,0 +1,133 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:14.bhyve Security Advisory
+ The FreeBSD Project
+
+Topic: Insufficient bounds checking in bhyve(8) device model
+
+Category: core
+Module: bhyve
+Announced: 2018-12-04
+Credits: Reno Robert
+Affects: All supported versions of FreeBSD.
+Corrected: 2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE)
+ 2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6)
+CVE Name: CVE-2018-17160
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The bhyve hypervisor uses the bhyve(8) program to emulate support for most
+virtual devices used by guest operating systems.
+
+II. Problem Description
+
+Insufficient bounds checking in one of the device models provided by bhyve(8)
+can permit a guest operating system to overwrite memory in the bhyve(8)
+processing possibly permitting arbitary code execution.
+
+III. Impact
+
+A guest OS using a firmware image can cause the bhyve process to crash, or
+possibly execute arbitrary code on the host as root.
+
+IV. Workaround
+
+The device model in question is only enabled when booting guests with a
+firmware image such as the UEFI images from the bhyve-firmware package.
+Guests booted using bhyveload(8) or grub2-bhyve are not affected. Guests
+using operating systems supported by bhyveload(8) or grub2-bhyve can be
+booted using these tools as a workaround.
+
+No workaround is available for guest operating systems such as Windows that
+require a firmware image.
+
+V. Solution
+
+Perform one of the following:
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, restart guests using firmware images.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Afterward, restart guests using firmware images.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/11/ r341486
+releng/11.2/ r341488
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:14.bhyve.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3
+nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg
+3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv
+9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9
+rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR
+AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt
+jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx
+MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68
+vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc
+fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ8PECJ+r0X5bhkzW
+Ymlksu/HprW4tFLCdD4mB7lewvr3qpmoRoS1KwgMoXnRKzPbGsc=
+=4zGb
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-18:14/bhyve.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-18:14/bhyve.patch Tue Dec 4 18:45:45 2018 (r52569)
@@ -0,0 +1,97 @@
+--- usr.sbin/bhyve/fwctl.c.orig
++++ usr.sbin/bhyve/fwctl.c
+@@ -79,8 +79,8 @@
+
+ struct op_info {
+ int op;
+- int (*op_start)(int len);
+- void (*op_data)(uint32_t data, int len);
++ int (*op_start)(uint32_t len);
++ void (*op_data)(uint32_t data, uint32_t len);
+ int (*op_result)(struct iovec **data);
+ void (*op_done)(struct iovec *data);
+ };
+@@ -119,7 +119,7 @@
+ }
+
+ static int
+-errop_start(int len)
++errop_start(uint32_t len)
+ {
+ errop_code = ENOENT;
+
+@@ -128,7 +128,7 @@
+ }
+
+ static void
+-errop_data(uint32_t data, int len)
++errop_data(uint32_t data, uint32_t len)
+ {
+
+ /* ignore */
+@@ -188,7 +188,7 @@
+ static size_t fget_size;
+
+ static int
+-fget_start(int len)
++fget_start(uint32_t len)
+ {
+
+ if (len > FGET_STRSZ)
+@@ -200,7 +200,7 @@
+ }
+
+ static void
+-fget_data(uint32_t data, int len)
++fget_data(uint32_t data, uint32_t len)
+ {
+
+ *((uint32_t *) &fget_str[fget_cnt]) = data;
+@@ -285,8 +285,8 @@
+ struct op_info *req_op;
+ int resp_error;
+ int resp_count;
+- int resp_size;
+- int resp_off;
++ size_t resp_size;
++ size_t resp_off;
+ struct iovec *resp_biov;
+ } rinfo;
+
+@@ -346,13 +346,14 @@
+ static int
+ fwctl_request_data(uint32_t value)
+ {
+- int remlen;
+
+ /* Make sure remaining size is >= 0 */
+- rinfo.req_size -= sizeof(uint32_t);
+- remlen = MAX(rinfo.req_size, 0);
++ if (rinfo.req_size <= sizeof(uint32_t))
++ rinfo.req_size = 0;
++ else
++ rinfo.req_size -= sizeof(uint32_t);
+
+- (*rinfo.req_op->op_data)(value, remlen);
++ (*rinfo.req_op->op_data)(value, rinfo.req_size);
+
+ if (rinfo.req_size < sizeof(uint32_t)) {
+ fwctl_request_done();
+@@ -401,7 +402,7 @@
+ fwctl_response(uint32_t *retval)
+ {
+ uint32_t *dp;
+- int remlen;
++ ssize_t remlen;
+
+ switch(rinfo.resp_count) {
+ case 0:
+@@ -436,7 +437,7 @@
+ }
+
+ if (rinfo.resp_count > 3 &&
+- rinfo.resp_size - rinfo.resp_off <= 0) {
++ rinfo.resp_off >= rinfo.resp_size) {
+ fwctl_response_done();
+ return (1);
+ }
Added: head/share/security/patches/SA-18:14/bhyve.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-18:14/bhyve.patch.asc Tue Dec 4 18:45:45 2018 (r52569)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGymNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJzbw//cA11jv1m7gHMt4lxFwjQYxEO+WvLXZWvPv+69sCMnx++3B22bx9ppYgR
+DSTE3bdIod9qPbVt8DCgMIP5M1txy4a9WfXUy0UnNPy4Q8Kc91oztGQD4x5ne06M
+sluBUK5fhEFwyYiwlzS0JbUH7JXQ3WNrbyuk9eyegPVijFmmuv71hNCs2QUA0gxl
+XDbGg3xmfhkIYdVNVj+yp+kUCNaphe0GV4SeY2n3SrdUPePJnSyXGMFbPHtn8eJP
+fqE4KaaOfGy1xehzdLnfGWK52n/VIpWoLLNP+7xeNyL1eJ8loAMTY06rbQufKq0H
+BQKvd288RrIAESKHyCGsrb1KEruVPqQ3USO2LEB9IJrMpAiNSmjHa5M/u+KjMv6C
+VSSAIiyDPu0XlCC5PaPeGoCb2d1RbVQqgiIi6/am6bxOWtMI5hZgcbrGywlZCM18
+JC0KnINEGwMh2P6ObOnFOuZmn6g7QPTTkSeZkKqsfsV2UQ2cRvfRGvaEl3oov2LZ
+PpIYJQhOHhU+HrjZC6HyV+lQ9xlWMzsy94/oTyr8C2Dp7rAD3KbZSdAvgRfONkgk
+Ht3+sniufuFpYa2dmUmHyYjvkw7ERwPaIA69hIPMylR/+QTwFsloCBgccB/lu/At
+uet8vayiEEMo1TKk+LVt9HsVMcg6ZizKq+emAuxssb34QejcSj4=
+=4eUb
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Tue Dec 4 18:45:07 2018 (r52568)
+++ head/share/xml/advisories.xml Tue Dec 4 18:45:45 2018 (r52569)
@@ -8,6 +8,19 @@
<name>2018</name>
<month>
+ <name>12</name>
+
+ <day>
+ <name>04</name>
+
+ <advisory>
+ <name>FreeBSD-SA-18:14.bhyve</name>
+ </advisory>
+
+ </day>
+ </month>
+
+ <month>
<name>11</name>
<day>
More information about the svn-doc-head
mailing list