Fix VirtIO descriptor length validation bugs#799
Open
olivia-wu-epsf wants to merge 4 commits intointel:mainfrom
Open
Fix VirtIO descriptor length validation bugs#799olivia-wu-epsf wants to merge 4 commits intointel:mainfrom
olivia-wu-epsf wants to merge 4 commits intointel:mainfrom
Conversation
Clamp VMM-controlled descriptor len values to the known DMA allocation size before passing them to slice_from_raw_parts/from_raw_parts. This prevents out-of-bounds reads when a malicious VMM overwrites the shared DMA descriptor table with inflated length values. Bug 1 (vsock): pkt[1].len is now clamped to dma_record.dma_size in virtio_pci.rs receive path. Bug 2 (virtio_serial): vq_buf.len and buffer.len are now clamped to dma_allocation.dma_size in both the control message receive path and the data receive path. The control path also now validates the DMA address via dma_allocation.get() before creating the slice. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
@olivia-wu-epsf, could you please fix cargo fmt / clippy issue? |
Fix rustfmt formatting in virtio_serial and vsock drivers to pass the CI cargo fmt --check step. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Address cargo-deny advisory RUSTSEC-2026-0104 (reachable panic in certificate revocation list parsing) by updating rustls-webpki from 0.103.10 to 0.103.13. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Main already contains rustls-webpki 0.103.13 (RUSTSEC-2026-0104 fix), so take main's Cargo.lock as the resolution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clamp VMM-controlled descriptor len values to the known DMA allocation size before passing them to slice_from_raw_parts/from_raw_parts. This prevents out-of-bounds reads when a malicious VMM overwrites the shared DMA descriptor table with inflated length values.
Changes
Bug 1: Vsock driver (src/devices/vsock/src/transport/virtio_pci.rs)
Bug 2: VirtIO serial driver (src/devices/virtio_serial/src/lib.rs)
Classification
These are reliability bugs (Rust UB, potential crash). Not security vulnerabilities under the Confidential Computing threat model, since OOB reads only reach VMM-controlled shared memory (no confidentiality loss) or cause a crash (DoS, which is out of scope per the TDX threat model).
Testing