The ctl_report_supported_opcodes function did not...
High severity
Unreviewed
Published
Sep 5, 2024
to the GitHub Advisory Database
•
Updated Sep 5, 2024
Description
Published by the National Vulnerability Database
Sep 5, 2024
Published to the GitHub Advisory Database
Sep 5, 2024
Last updated
Sep 5, 2024
The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory.
Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
References