Problem Description:
The implementation of lib9p’s handling of RWALK messages was
missing a bounds check needed when unpacking the message contents.
The missing check means that the receipt of a specially crafted
message will cause lib9p to overwrite unrelated memory.
Impact:
The bug can be triggered by a malicious bhyve guest kernel to
overwrite memory in the bhyve(8) process. This could potentially lead
to user-mode code execution on the host, subject to bhyve’s Capsicum
sandbox.