bhyve(8)'s fwctl interface provides a mechanism through which guest firmware can query the hypervisor for information about the virtual machine. The fwctl interface is available to guests when bhyve is run with the "-l bootrom" option, used for example when booting guests in UEFI mode. bhyve is currently only supported on the amd64 platform. The fwctl driver implements a state machine which is executed when the guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string. A malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.
Hetzner introduced its Ampere Altra powered arm64-based cloud servers earlier this year, making it possible to easily run OpenBSD/arm64 on their platform. The only caveat for now is that the viogpu(4) driver is required, which was committed by jcs@ in April 2023 and thus only available in snapshots. It will first appear in OpenBSD 7.4.
Errata patches for npppd have been released for OpenBSD 7.2 and 7.3. Binary updates for the amd64, arm64 and i386 platform are available via the syspatch utility.
EuroBSDCon 2023 has now ended, and slides for many of the OpenBSD developer presentations are now available in the usual place.Video of the presentations can be expected somewhat later.
On the Loss and Preservation of Knowledge, Unix Recovery Legend, Useful Unix commands for data science, Tarsnap outage post-mortem, OpenBSD 7.3 on a twenty year old IBM ThinkPad R31, and more.
Can you really do 3D printing from OpenBSD? Cue suspenseful music whilst I formulate my answer, which is: Yes.
HardenedBSD 14-STABLE is now officially a thing. Haven't seen any changelog, yet. Installers are at https://installers.hardenedbsd.org/pub/14-stable/ and package builder at https://hbsd-pkg-14-stable-01.hardenedbsd.org/index.html.
The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX or BSD systems.
The Elements Of Style: UNIX As Literature, The shell and its crappy handling of whitespace, Theo de Raadt on Zenbleed, OPNsense 23.7 released, illumos gets a new C compiler, fixing Thinkpad X1 WIFI on FreeBSD, and more.
The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX or BSD systems.
IPv6 fragments may bypass firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.
Several certificates were added to the bundle after the latest release of FreeBSD 13.2. TLS connections using the missing root certificates as a trust anchor would not be trusted causing an error.
The code which allocated the hot-plug interrupt did not allocate MSI-X vectors properly. When attaching to devices which support only MSI-X messages, the interrupt would not be allocated. PCIe hot-plug would fail to work for certain devices. In particular, this affects certain Amazon EC2 instance types which require functional hot-plug support in order to attach network devices.
freebsd-update incorrectly deleted files in /etc/ in the event the file to be updated matched the new release and was different than the old release. This has not been an issue previously because the $FreeBSD$ tag expansion from subversion virtually guaranteed the existing file was going to be different from the new release. With the conversion to git in the 13.x releases, $FreeBSD$ is no longer expanded, making it much more likely that a file would find this issue.