Problem Description:
The fwctl driver implements a state machine which is executed when
the guest accesses certain x86 I/O ports. The interface lets the guest
copy a string into a buffer resident in the bhyve process' memory. A
bug in the state machine implementation can result in a buffer
overflowing when copying this string.
Impact:
A malicious, privileged software running in a guest VM can exploit
the buffer overflow to achieve code execution on the host in the bhyve
userspace process, which typically runs as root. Note that bhyve runs
in a Capsicum sandbox, so malicious code is constrained by the
capabilities available to the bhyve process.