Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Code execution outside the virtualized guest in bhyve
Agustin Gianni - Github Security LabsPosted 4 Years Ago- Bhyve is the hypervisor used in BSD Unix operating system.
- In Bhyve
vtrndis an implementation of RNG, a paravirtualized device that is exposed as a hardware RNG device to the guest. he randomness values are transferred into the guest memory by reading queues defined by the guest by usingvq_getchainto fill a structiovecstructure with the memory ranges specified by the guest. - When calling functions in
vtrnd, it is very important to check the return value and check it properly. There are multiple occurrences of NO checks of this return values and signness conversion issues. - Issue #1 describes that the
iovecneeds to be initialized and check the amount of file descriptors there are. However, since the return value is never checked, this can be used without ever being initialized. If the right data can be put into these locations, major memory corruption could be caused. - This same issue exists in other spots for Issue #2, #3 and #5 as well.
- Issues #2 and #4 have to do with integer conversion. The return value is a signed integer from the function. However, using the value as an unsigned integer and returning the error case of -1 would be a problem.
- Issue #2 puts the return value into the type
size_t. This return value is used for a size in amemcpyas -1. - Issue #4 stores the return value into a
uint16_t. When an assert clause is ran, the check is to make sure the value is greater than or equal to 1. Since this is an unsigned integer -1 becomes a very large positive number, bypassing the security check. Does this assert clause actually do anything, since it is in a production build? That may be another CVE! - All of these bugs lead to uninitialized memory access, which, with proper data placement, can be devastating. It is fascinating how a simple lack of validation of return values can lead to the compromise of a program.
