Code execution outside the virtualized guest in bhyve [CVE-2021-29631]

We discussed this vulnerability during Episode 80 on 07 September 2021

Bhyve is FreeBSD’s type-2 hypervisor. The author of this GitHub security advisory discovered 6 bugs that can lead to a VM escape in various drivers, and all of them are essentially the same issue in different places. Various drivers call vq_getchain() to fill an iovec object with memory ranges the guest had previously setup for virtio queues. This function can fail though if the guest never setup any virtio queues to use. Many functions that call vq_getchain() do not check it’s return value (or check it improperly), and end up using an uninitialized iovec object for writing.

The following functions all contain this bug:

  • pci_vtrnd_notify()
  • pci_vt9p_notify()
  • pci_vtcon_sock_rx()
  • pci_vtscsi_controlq_notify()
  • pci_vtscsi_requestq_notify()

The pci_vtcon_notify_tx function contains a very similar bug, where it tries to check the return value but it does so incorrectly. It stores the return value as a uint16, which is problematic because the function returns a signed integer. When it returns -1 on failure, it results in being read as a positive uint16 instead of the expected error value.