Allele Security Intelligence - ASA-2019-00510 – FreeBSD bhyve: Insufficient validation of guest-supplied data (e1000 device)

Allele Security Alert

ASA-2019-00510

Identifier(s)

ASA-2019-00510, CVE-2019-5609, FreeBSD-SA-19:21.bhyve

Title

Insufficient validation of guest-supplied data (e1000 device)

Vendor(s)

The FreeBSD Project

Product(s)

FreeBSD

Affected version(s)

All supported versions of FreeBSD

Fixed version(s)

2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13)

Proof of concept

Unknown

Description

The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload (“TSO”). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.

When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage.

A misbehaving bhyve guest could overwrite memory in the bhyve process on the host.

Technical details

Unknown

Credits

Reno Robert

Reference(s)

FreeBSD-SA-19:21.bhyve.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:21.bhyve.asc

bhyve.patch
https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch

bhyve.patch.asc
https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc

[base] Revision 350619
https://svnweb.freebsd.org/base?view=revision&revision=r350619

[base] Revision 350647
https://svnweb.freebsd.org/base?view=revision&revision=r350647