ASA-2018-00065 – bhyve: Insufficient bounds checking in device model


Allele Security Alert

ASA-2018-00065

Identifier(s)

ASA-2018-00065, FreeBSD-SA-18:14.bhyve, CVE-2018-17160

Title

Insufficient bounds checking in bhyve(8) device model

Vendor(s)

The bhyve development team

Product(s)

bhyve

Affected version(s)

All supported versions of FreeBSD.

Fixed version(s)

stable/11, 11.2-STABLE
releng/11.2, 11.2-RELEASE-p6

Proof of concept

Unknown

Description

Insufficient bounds checking in one of the device models provided by bhyve(8) can permit a guest operating system to overwrite memory in the bhyve(8) processing possibly permitting arbitrary code execution.

Technical details

bhyve doesn’t treat firmware request and response sizes as unsigned.

There is an incomplete bounds check on the guest-supplied request size where a very large request size could be interpreted as a negative value and not be caught by the bounds check.

Credits

Reno Robert

Reference(s)

FreeBSD Security Advisory FreeBSD-SA-18:14.bhyve
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:14.bhyve.asc

FreeBSD Security Advisory FreeBSD-SA-18:14.bhyve
https://seclists.org/bugtraq/2018/Dec/5

[base] Revision 341486
https://svnweb.freebsd.org/base?view=revision&revision=r341486

CVE-2018-17160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160

CVE-2018-17160
https://nvd.nist.gov/vuln/detail/CVE-2018-17160

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.