Total vulnerabilities in the database
The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory.
The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox.
| Software | From | Fixed in |
|---|---|---|
| freebsd / freebsd | 13.0-rc5 | 13.0-rc5.x |
| freebsd / freebsd | 13.0-rc1 | 13.0-rc1.x |
| freebsd / freebsd | 13.0-rc2 | 13.0-rc2.x |
| freebsd / freebsd | 13.0-rc4 | 13.0-rc4.x |
| freebsd / freebsd | 13.0-beta1 | 13.0-beta1.x |
| freebsd / freebsd | 13.0-beta2 | 13.0-beta2.x |
| freebsd / freebsd | 13.0-beta3 | 13.0-beta3.x |
| freebsd / freebsd | 13.0-beta3-p1 | 13.0-beta3-p1.x |
| freebsd / freebsd | 13.0-beta4 | 13.0-beta4.x |
| freebsd / freebsd | 13.0-p1 | 13.0-p1.x |
| freebsd / freebsd | 13.0-p2 | 13.0-p2.x |
| freebsd / freebsd | 13.0-p3 | 13.0-p3.x |
| freebsd / freebsd | 13.0-p4 | 13.0-p4.x |
| freebsd / freebsd | 13.0-p5 | 13.0-p5.x |
| freebsd / freebsd | 13.0-rc3 | 13.0-rc3.x |
| freebsd / freebsd | 13.0-rc5-p1 | 13.0-rc5-p1.x |
| freebsd / freebsd | 13.1-b1-p1 | 13.1-b1-p1.x |
| freebsd / freebsd | 13.1-b2-p2 | 13.1-b2-p2.x |
| freebsd / freebsd | 13.0-p10 | 13.0-p10.x |
| freebsd / freebsd | 13.0-p11 | 13.0-p11.x |
| freebsd / freebsd | 13.0-p6 | 13.0-p6.x |
| freebsd / freebsd | 13.0-p7 | 13.0-p7.x |
| freebsd / freebsd | 13.0-p8 | 13.0-p8.x |
| freebsd / freebsd | 13.0-p9 | 13.0-p9.x |
| freebsd / freebsd | 13.1-rc1-p1 | 13.1-rc1-p1.x |