1 files changed, 160 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc
new file mode 100644
index 0000000000..3d8ba5176c
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc
@@ -0,0 +1,160 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-22:05.bhyve                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Bhyve e82545 device emulation out-of-bounds write
+
+Category:       core
+Module:         bhyve
+Announced:      2022-04-06
+Credits:        Mehdi Talbi, Synacktiv
+Affects:        All supported versions of FreeBSD.
+Corrected:      2022-04-05 22:59:52 UTC (stable/13, 13.1-STABLE)
+                2022-04-06 01:56:57 UTC (releng/13.1, 13.1-RC1-p1)
+                2022-04-06 03:04:14 UTC (releng/13.0, 13.0-RELEASE-p11)
+                2022-04-05 23:03:35 UTC (stable/12, 12.3-STABLE)
+                2022-04-06 03:06:28 UTC (releng/12.3, 12.3-RELEASE-p5)
+CVE Name:       CVE-2022-23087
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+bhyve(8) is a hypervisor that supports running a variety of guest
+operating systems in virtual machines.  It implements a number of device
+models, including an emulated Intel 82545 network interface adapter.
+
+II.  Problem Description
+
+The e1000 network adapters permit a variety of modifications to an Ethernet
+packet when it is being transmitted.  These include the insertion of IP and
+TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation
+offload ("TSO").  The e1000 device model uses an on-stack buffer to generate
+the modified packet header when simulating these modifications on transmitted
+packets.
+
+When checksum offload is requested for a transmitted packet, the e1000 device
+model used a guest-provided value to specify the checksum offset in the on-
+stack buffer.  The offset was not validated for certain packet types.
+
+III. Impact
+
+A misbehaving bhyve guest could overwrite memory in the bhyve process on the
+host, possibly leading to code execution in the host context.
+
+The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD
+version and bhyve configuration) limits the impact of exploiting this issue.
+
+IV.  Workaround
+
+Only the e1000 device model is affected; the virtio-net device is not
+affected by this issue.  If supported by the guest operating system,
+presenting only the virtio-net device to the guest is a suitable workaround.
+No workaround is available if the e1000 device model is required.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and restart bhyve virtual machines.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386 platforms can
+be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-22:05/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/SA-22:05/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable bhyve virtual machines, or reboot the system.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              53f722094798    stable/13-n250272
+releng/13.1/                            5a28d8befda0  releng/13.1-n250078
+releng/13.0/                            b85c68857da3  releng/13.0-n244795
+stable/12/                                                        r371867
+releng/12.3/                                                      r371871
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23087>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:05.bhyve.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgYACgkQ05eS9J6n
+5cJERBAAoqZXVIwucgIMLepm3hQdmYsuYGDhfp12ggOR8GO/a9oL9c21u5JSSNUq
+w966VU8u2Tv3JjKhNpXWSR9hbUSTuEWarkcrutNDe69GwcWv0Q8DU3DwhfrT6e9K
++IO/yMNUUBL9LlWRW4XftiowNV2r9KvqzYsGbk8Wi+bN1Vd9gXo1r31Nu3Y3JBls
+EOjk8aoDuCCUqZKVjKw7VNXDjAo3MKnnt7s6nRLSJRvJH7iDGxttWGbAiREqLO07
+Aqg0ZUbbtUs8PvOL38yj/eiC4tLdOGna+Nm7VNoiS+Ee2uL/tbGU079UCgqgSJ7k
+/0U8nrDss8NRirsFEbpYiNFs2zi+6dtRKjAzMGKxMU6TTnHodzfLBGsrOws5TmlS
+bblLVykXBT1egNT180gCNjBRdK2mYaF23wVEPbd8bg0+JPfG5MyylG137uJJw2B0
+24RZpY3ciRCUw6xn9mRk//SOQh4fvtLSdNPfGtoYtHmzhao8wvWBqPw7SvkMkUP4
+hsdNeutyIZjqTCDvtUD4Ge81BPLnW8fUkd7yNLbWFLGBqZGlCs/xBdmTqCS/XLF7
+y9cPEsS7wb1sZS087uULgUrEDFPCnktozZ1ycCwoqCZy7dt6/zYFrYH1xu3AN+Ji
+hso4aoM18gVNadHfMRqHNClBDO0iaxuXPrg+SMqffOrdQCznQ3k=
+=CgB+
+-----END PGP SIGNATURE-----