1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.ANN

  • [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:21.bhyve

    From FreeBSD Security Advisories@21:1/5 to All on Tue Aug 13 05:48:40 2019
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-SA-19:21.bhyve Security Advisory
    The FreeBSD Project

    Topic: Insufficient validation of guest-supplied data (e1000 device)

    Category: core
    Module: bhyve
    Announced: 2019-08-06
    Credits: Reno Robert
    Affects: All supported versions of FreeBSD.
    Corrected: 2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE)
    2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9)
    2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE)
    2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2)
    2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13)
    CVE Name: CVE-2019-5609

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    I. Background

    bhyve(8) is a hypervisor that supports running a variety of guest operating systems in virtual machines. bhyve(8) includes an emulated Intel 82545
    network interface adapter ("e1000").

    II. Problem Description

    The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and
    TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.

    When TCP segmentation offload is requested for a transmitted packet, the
    e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage.

    III. Impact

    A misbehaving bhyve guest could overwrite memory in the bhyve process on the host.

    IV. Workaround

    Only the e1000 device model is affected; the virtio-net device is not
    affected by this issue. If supported by the guest operating system
    presenting only the virtio-net device to the guest is a suitable workaround.
    No workaround is available if the e1000 device model is required.

    V. Solution

    Upgrade your vulnerable system to a supported FreeBSD stable or
    release / security branch (releng) dated after the correction date,
    and restart any affected virtual machines.

    1) To update your vulnerable system via a binary patch:

    Systems running a RELEASE version of FreeBSD on the i386 or amd64
    platforms can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install

    2) To update your vulnerable system via a source code patch:

    The following patches have been verified to apply to the applicable
    FreeBSD release branches.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    # fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch
    # fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc
    # gpg --verify bhyve.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

    Restart the applicable virtual machines, or reboot the system.

    VI. Correction details

    The following list contains the correction revision numbers for each
    affected branch.

    Branch/path Revision
    - ------------------------------------------------------------------------- stable/12/ r350619 releng/12.0/ r350647 stable/11/ r350619 releng/11.3/ r350647 releng/11.2/ r350647
    - -------------------------------------------------------------------------

    To see which files were modified by a particular revision, run the
    following command, replacing NNNNNN with the revision number, on a
    machine with Subversion installed:

    # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

    Or visit the following URL, replacing NNNNNN with the revision number:

    <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

    VII. References

    <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5609>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:21.bhyve.asc> -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cL0qA//ZdapXUMl6KuuvtZIveMZgNdMVLYaqB1K8yHXO5udd58fTsH6+Khei0LT gYGxDEJkHinM1EWy688xE+PSzb9twmEmawW4N4WMhWB9oMoTuLQ5E4Zm9my1TdDh ducK6Q4GqOojIXJ0LtHDqs9qveAfkgB6L6jmLt/1jpZelLupte3S+bPmI4yta7ge 7k54V9GcN05i7wX2TaZA7H3ROQziW537ZeoRB8BQwt7bekFw2uBfO9s0CWcJZPnG +0D6QEsRqbtYMJr5RkUCc1y4qaqnWBBn/Zyyr0P+bXZklU/IW2GJTDWNObXN7DPE NOhuVY7PQHN6jv3u+nKa1AY7mjI3zBo009iAfPQFCb9Kn08tJ2A9WrExEMwZdcbI nXVqCRdp7xCSPO73vjNv4btzvAU7iwbaBkpGFs721cH72ImvmXi7TwepPEAul0do VwKYMxhStZtoDQhEea1eq41KNvqxmA/mkbEjpKcTZCUJq7xVyV4uaVme3Uq45uaa mKMWx+Gg09A2Y5NfSCiz9AGuMkIGn05hKIOK39yAG159uTks60Ybsw/bOnE9WnMJ 5igcI+U6utIMi2M6nH4rn/wKBYM9cHWmQLfo6kECUi2CCTmR5VL8BTJ/8vHCqXi1 vCcAPacKYAROsvGQyynSVLiXJAXOrc8/VyoXRHC5cAapVeParcw=
    =0XzG
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-announce@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-announce
    To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)