From 84d2dd6c433fd4a8ec4572d42f76db046ce90f86 Mon Sep 17 00:00:00 2001 From: Patrick Roy Date: Wed, 6 Sep 2023 17:02:31 +0100 Subject: [PATCH] Import CVE-2023-41051 as RustSec advisory Signed-off-by: Patrick Roy --- crates/vm-memory/RUSTSEC-0000-0000.md | 29 +++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 crates/vm-memory/RUSTSEC-0000-0000.md diff --git a/crates/vm-memory/RUSTSEC-0000-0000.md b/crates/vm-memory/RUSTSEC-0000-0000.md new file mode 100644 index 0000000000..f9d581a8d9 --- /dev/null +++ b/crates/vm-memory/RUSTSEC-0000-0000.md @@ -0,0 +1,29 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "vm-memory" +date = "2023-09-01" +url = "https://github.com/rust-vmm/vm-memory/issues/250" +references = ["https://github.com/rust-vmm/vm-memory/commit/aff1dd4a5259f7deba56692840f7a2d9ca34c9c8"] +informational = "unsound" +categories = ["memory-exposure"] +cvss = "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L" +aliases = ["CVE-2023-41051", "GHSA-49hh-fprx-m68g"] + +[affected] +[affected.functions] +"vm_memory::volatile_memory::VolatileMemory::get_atomic_ref" = ["< 0.12.2"], +"vm_memory::volatile_memory::VolatileMemory::aligned_as_ref" = ["< 0.12.2"], +"vm_memory::volatile_memory::VolatileMemory::aligned_as_mut" = ["< 0.12.2"], +"vm_memory::volatile_memory::VolatileMemory::get_ref" = ["< 0.12.2"], +"vm_memory::volatile_memory::VolatileMemory::get_array_ref" = ["< 0.12.2"], + +[versions] +patched = [">= 0.12.2"] +``` + +# Default functions in VolatileMemory trait lack bounds checks, potentially leading to out-of-bounds memory accesses + +An issue was discovered in the default implementations of the `VolatileMemory::{get_atomic_ref, aligned_as_ref, aligned_as_mut, get_ref, get_array_ref}` trait functions, which allows out-of-bounds memory access if the `VolatileMemory::get_slice` function returns a `VolatileSlice` whose length is less than the function’s `count` argument. No implementations of `get_slice` provided in `vm_memory` are affected. Users of custom `VolatileMemory` implementations may be impacted if the custom implementation does not adhere to `get_slice`'s documentation. + +The issue started in version 0.1.0 but was fixed in version 0.12.2 by inserting a check that verifies that the `VolatileSlice` returned by `get_slice` is of the correct length.