Allele Security Alert
ASA-2019-00510
Identifier(s)
ASA-2019-00510, CVE-2019-5609, FreeBSD-SA-19:21.bhyve
Title
Insufficient validation of guest-supplied data (e1000 device)
Vendor(s)
The FreeBSD Project
Product(s)
FreeBSD
Affected version(s)
All supported versions of FreeBSD
Fixed version(s)
2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13)
Proof of concept
Unknown
Description
The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload (“TSO”). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.
When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage.
A misbehaving bhyve guest could overwrite memory in the bhyve process on the host.
Technical details
Unknown
Credits
Reno Robert
Reference(s)
FreeBSD-SA-19:21.bhyve.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:21.bhyve.asc
bhyve.patch
https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch
bhyve.patch.asc
https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc
[base] Revision 350619
https://svnweb.freebsd.org/base?view=revision&revision=r350619
[base] Revision 350647
https://svnweb.freebsd.org/base?view=revision&revision=r350647
[base] Revision 350619
https://svnweb.freebsd.org/base?view=revision&revision=r350619
CVE-2019-5609
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5609
CVE-2019-5609
https://nvd.nist.gov/vuln/detail/CVE-2019-5609
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 12, 2019