Headline
CVE-2021-32845: Fix vtrnd pci_vtrnd_notify uninitialized memory use (GHSL-2021-056) · moby/hyperkit@41272a9
HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, the implementation of qnotify at pci_vtrnd_notify fails to check the return value of vq_getchain. This leads to struct iovec iov; being uninitialized and used to read memory in len = (int) read(sc->vrsc_fd, iov.iov_base, iov.iov_len); when an attacker is able to make vq_getchain fail. This issue may lead to a guest crashing the host causing a denial of service and, under certain circumstance, memory corruption. This issue is fixed in commit 41272a980197917df8e58ff90642d14dec8fe948.
@@ -100,7 +100,7 @@ pci_vtrnd_notify(void *vsc, struct vqueue_info *vq)
{
struct iovec iov;
struct pci_vtrnd_softc *sc;
int len;
int len, n;
uint16_t idx;
sc = vsc;
@@ -111,7 +111,11 @@ pci_vtrnd_notify(void *vsc, struct vqueue_info *vq)
}
while (vq_has_descs(vq)) {
vq_getchain(vq, &idx, &iov, 1, NULL);
n = vq_getchain(vq, &idx, &iov, 1, NULL);
if (n < 0) {
fprintf(stderr, "vtrnd: vtrnd_notify(): n %d\r\n", n);
return;
}
len = (int) read(sc->vrsc_fd, iov.iov_base, iov.iov_len);