CVE-2022-23092 Explained: Overwriting Memory in Bhyve Process Due to Missing Bounds Check in Lib9p RWALK Messages

A newly discovered vulnerability CVE-2022-23092 in the implementation of lib9p's handling of RWALK messages can cause memory overwrites in the bhyve process due to a missing bounds check. This could potentially lead to user-mode code execution on the host, albeit subject to bhyve's Capsicum sandbox. In this post, we'll explain the details of this vulnerability and show you how it can be exploited.

Background

Lib9p is a 9P protocol library, primarily used by bhyve's VirtIO-9P backend. The RWALK message is a part of the 9P200.L protocol, used to traverse file system objects. The issue lies in the unpacking of the RWALK message contents in the server, as a missing bounds check can lead to memory overwriting by a malicious bhyve guest kernel.

Exploit Details

The vulnerability can be exploited by any guest kernel (from the bhyve virtual machine) that sends a specially crafted RWALK message thereby causing lib9p to overwrite bhyve(8) process memory. This can cause the bhyve process to execute arbitrary user-mode code on the host. However, it's essential to note that the exploit would still be subject to the restrictions imposed by bhyve's Capsicum sandbox.

Here is an example of how a malicious RWALK message could be crafted

// Generate a malformed RWALK message
void create_malicious_rwalk_message(uint8_t *buffer) {
    // Set RWALK header
    buffer[] = RWALK;
    buffer[1] = x00; // message size
    buffer[2] = x00; // reserved
    buffer[3] = x00; // reserved

    // Add payload data to cause memory overwrite
    for (int i = 4; i < MALICIOUS_RWALK_SIZE; i++) {
        buffer[i] = x00;
    }
}

Mitigation

A patch has been released that fixes the issue by adding the necessary bounds check while unpacking the RWALK messages. It's crucial to update and apply this patch to prevent the exploitation of this vulnerability. The patch can be found here:

Link to Patch

To apply the patch, you can follow the instructions provided in this link.

Conclusion

CVE-2022-23092 is a notable vulnerability in the lib9p implementation of RWALK messages that can cause memory overwrites in the bhyve process and lead to user-mode code execution. It's crucial for users to apply the necessary patch to mitigate this issue and protect their bhyve virtual machines.

References

1. FreeBSD Security Advisory SA-22:03.lib9p
2. Explanation of 9P protocol
3. Patch fixing the issue
4. Bhyve documentation

Timeline

Published on: 02/15/2024 06:15:45 UTC
Last modified on: 05/14/2024 10:18:04 UTC