FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Insufficient validation of guest-supplied data (e1000 device)

Affected packages
12.0 <= FreeBSD-kernel < 12.0_9
11.3 <= FreeBSD-kernel < 11.3_2
11.2 <= FreeBSD-kernel < 11.2_13

Details

VuXML ID 499b22a3-f680-11e9-a87f-a4badb2f4699
Discovery 2019-08-06
Entry 2019-10-24

Problem Description:

The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.

When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage.

Impact:

A misbehaving bhyve guest could overwrite memory in the bhyve process on the host.

References

CVE Name CVE-2019-5609
FreeBSD Advisory SA-19:21.bhyve