FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- bhyve privileged guest escape via fwctl

Affected packages
13.2 <= FreeBSD < 13.2_2
13.1 <= FreeBSD < 13.1_9


VuXML ID ab437561-47c0-11ee-8e38-002590c1f29c
Discovery 2023-08-01
Entry 2023-08-31

Problem Description:

The fwctl driver implements a state machine which is executed when the guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string.


A malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.


CVE Name CVE-2023-3494
FreeBSD Advisory SA-23:07.bhyve