Code execution outside the virtualized guest in bhyve [CVE-2021-29631]
Bhyve is FreeBSD’s type-2 hypervisor. The author of this GitHub security advisory discovered 6 bugs that can lead to a VM escape in various drivers, and all of them are essentially the same issue in different places. Various drivers call vq_getchain()
to fill an iovec
object with memory ranges the guest had previously setup for virtio queues. This function can fail though if the guest never setup any virtio queues to use. Many functions that call vq_getchain()
do not check it’s return value (or check it improperly), and end up using an uninitialized iovec
object for writing.
The following functions all contain this bug:
pci_vtrnd_notify()
pci_vt9p_notify()
pci_vtcon_sock_rx()
pci_vtscsi_controlq_notify()
pci_vtscsi_requestq_notify()
The pci_vtcon_notify_tx
function contains a very similar bug, where it tries to check the return value but it does so incorrectly. It stores the return value as a uint16
, which is problematic because the function returns a signed integer. When it returns -1 on failure, it results in being read as a positive uint16
instead of the expected error value.