From owner-svn-doc-head@freebsd.org Tue Dec 4 18:45:46 2018 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9BEB31316FEF; Tue, 4 Dec 2018 18:45:46 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 449AB6BA93; Tue, 4 Dec 2018 18:45:46 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 259161288; Tue, 4 Dec 2018 18:45:46 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wB4IjknV090850; Tue, 4 Dec 2018 18:45:46 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wB4IjjfN090846; Tue, 4 Dec 2018 18:45:45 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201812041845.wB4IjjfN090846@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 4 Dec 2018 18:45:45 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52569 - in head/share: security/advisories security/patches/SA-18:14 xml X-SVN-Group: doc-head X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in head/share: security/advisories security/patches/SA-18:14 xml X-SVN-Commit-Revision: 52569 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 449AB6BA93 X-Spamd-Result: default: False [-0.24 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-0.42)[-0.417,0]; NEURAL_SPAM_SHORT(0.16)[0.161,0]; NEURAL_SPAM_LONG(0.01)[0.010,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2018 18:45:46 -0000 Author: gordon (src,ports committer) Date: Tue Dec 4 18:45:45 2018 New Revision: 52569 URL: https://svnweb.freebsd.org/changeset/doc/52569 Log: Publish FreeBSD-SA-18:14.bhyve. Approved by: so Added: head/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc (contents, props changed) head/share/security/patches/SA-18:14/ head/share/security/patches/SA-18:14/bhyve.patch (contents, props changed) head/share/security/patches/SA-18:14/bhyve.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:14.bhyve.asc Tue Dec 4 18:45:45 2018 (r52569) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:14.bhyve Security Advisory + The FreeBSD Project + +Topic: Insufficient bounds checking in bhyve(8) device model + +Category: core +Module: bhyve +Announced: 2018-12-04 +Credits: Reno Robert +Affects: All supported versions of FreeBSD. +Corrected: 2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE) + 2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6) +CVE Name: CVE-2018-17160 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The bhyve hypervisor uses the bhyve(8) program to emulate support for most +virtual devices used by guest operating systems. + +II. Problem Description + +Insufficient bounds checking in one of the device models provided by bhyve(8) +can permit a guest operating system to overwrite memory in the bhyve(8) +processing possibly permitting arbitary code execution. + +III. Impact + +A guest OS using a firmware image can cause the bhyve process to crash, or +possibly execute arbitrary code on the host as root. + +IV. Workaround + +The device model in question is only enabled when booting guests with a +firmware image such as the UEFI images from the bhyve-firmware package. +Guests booted using bhyveload(8) or grub2-bhyve are not affected. Guests +using operating systems supported by bhyveload(8) or grub2-bhyve can be +booted using these tools as a workaround. + +No workaround is available for guest operating systems such as Windows that +require a firmware image. + +V. Solution + +Perform one of the following: + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, restart guests using firmware images. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Afterward, restart guests using firmware images. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r341486 +releng/11.2/ r341488 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3 +nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg +3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv +9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9 +rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR +AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt +jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx +MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68 +vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc +fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ8PECJ+r0X5bhkzW +Ymlksu/HprW4tFLCdD4mB7lewvr3qpmoRoS1KwgMoXnRKzPbGsc= +=4zGb +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-18:14/bhyve.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:14/bhyve.patch Tue Dec 4 18:45:45 2018 (r52569) @@ -0,0 +1,97 @@ +--- usr.sbin/bhyve/fwctl.c.orig ++++ usr.sbin/bhyve/fwctl.c +@@ -79,8 +79,8 @@ + + struct op_info { + int op; +- int (*op_start)(int len); +- void (*op_data)(uint32_t data, int len); ++ int (*op_start)(uint32_t len); ++ void (*op_data)(uint32_t data, uint32_t len); + int (*op_result)(struct iovec **data); + void (*op_done)(struct iovec *data); + }; +@@ -119,7 +119,7 @@ + } + + static int +-errop_start(int len) ++errop_start(uint32_t len) + { + errop_code = ENOENT; + +@@ -128,7 +128,7 @@ + } + + static void +-errop_data(uint32_t data, int len) ++errop_data(uint32_t data, uint32_t len) + { + + /* ignore */ +@@ -188,7 +188,7 @@ + static size_t fget_size; + + static int +-fget_start(int len) ++fget_start(uint32_t len) + { + + if (len > FGET_STRSZ) +@@ -200,7 +200,7 @@ + } + + static void +-fget_data(uint32_t data, int len) ++fget_data(uint32_t data, uint32_t len) + { + + *((uint32_t *) &fget_str[fget_cnt]) = data; +@@ -285,8 +285,8 @@ + struct op_info *req_op; + int resp_error; + int resp_count; +- int resp_size; +- int resp_off; ++ size_t resp_size; ++ size_t resp_off; + struct iovec *resp_biov; + } rinfo; + +@@ -346,13 +346,14 @@ + static int + fwctl_request_data(uint32_t value) + { +- int remlen; + + /* Make sure remaining size is >= 0 */ +- rinfo.req_size -= sizeof(uint32_t); +- remlen = MAX(rinfo.req_size, 0); ++ if (rinfo.req_size <= sizeof(uint32_t)) ++ rinfo.req_size = 0; ++ else ++ rinfo.req_size -= sizeof(uint32_t); + +- (*rinfo.req_op->op_data)(value, remlen); ++ (*rinfo.req_op->op_data)(value, rinfo.req_size); + + if (rinfo.req_size < sizeof(uint32_t)) { + fwctl_request_done(); +@@ -401,7 +402,7 @@ + fwctl_response(uint32_t *retval) + { + uint32_t *dp; +- int remlen; ++ ssize_t remlen; + + switch(rinfo.resp_count) { + case 0: +@@ -436,7 +437,7 @@ + } + + if (rinfo.resp_count > 3 && +- rinfo.resp_size - rinfo.resp_off <= 0) { ++ rinfo.resp_off >= rinfo.resp_size) { + fwctl_response_done(); + return (1); + } Added: head/share/security/patches/SA-18:14/bhyve.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:14/bhyve.patch.asc Tue Dec 4 18:45:45 2018 (r52569) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGymNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJzbw//cA11jv1m7gHMt4lxFwjQYxEO+WvLXZWvPv+69sCMnx++3B22bx9ppYgR +DSTE3bdIod9qPbVt8DCgMIP5M1txy4a9WfXUy0UnNPy4Q8Kc91oztGQD4x5ne06M +sluBUK5fhEFwyYiwlzS0JbUH7JXQ3WNrbyuk9eyegPVijFmmuv71hNCs2QUA0gxl +XDbGg3xmfhkIYdVNVj+yp+kUCNaphe0GV4SeY2n3SrdUPePJnSyXGMFbPHtn8eJP +fqE4KaaOfGy1xehzdLnfGWK52n/VIpWoLLNP+7xeNyL1eJ8loAMTY06rbQufKq0H +BQKvd288RrIAESKHyCGsrb1KEruVPqQ3USO2LEB9IJrMpAiNSmjHa5M/u+KjMv6C +VSSAIiyDPu0XlCC5PaPeGoCb2d1RbVQqgiIi6/am6bxOWtMI5hZgcbrGywlZCM18 +JC0KnINEGwMh2P6ObOnFOuZmn6g7QPTTkSeZkKqsfsV2UQ2cRvfRGvaEl3oov2LZ +PpIYJQhOHhU+HrjZC6HyV+lQ9xlWMzsy94/oTyr8C2Dp7rAD3KbZSdAvgRfONkgk +Ht3+sniufuFpYa2dmUmHyYjvkw7ERwPaIA69hIPMylR/+QTwFsloCBgccB/lu/At +uet8vayiEEMo1TKk+LVt9HsVMcg6ZizKq+emAuxssb34QejcSj4= +=4eUb +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Dec 4 18:45:07 2018 (r52568) +++ head/share/xml/advisories.xml Tue Dec 4 18:45:45 2018 (r52569) @@ -8,6 +8,19 @@ 2018 + 12 + + + 04 + + + FreeBSD-SA-18:14.bhyve + + + + + + 11