FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- bhyve(8) virtual machine escape

Affected packages
11.0 <= FreeBSD < 11.0_4
10.3 <= FreeBSD < 10.3_13
10.2 <= FreeBSD < 10.2_26
10.1 <= FreeBSD < 10.1_43

Details

VuXML ID e722e3c6-bbee-11e6-b1cf-14dae9d210b8
Discovery 2016-12-06
Entry 2016-12-06

Problem Description:

The bounds checking of accesses to guest memory greater than 4GB by device emulations is subject to integer overflow.

Impact:

For a bhyve virtual machine with more than 3GB of guest memory configured, a malicious guest could craft device descriptors that could give it access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they're running on.

References

CVE Name CVE-2016-1889
FreeBSD Advisory SA-16:38.bhyve