On Wed, 10 Feb 2016 19:05:40 -0800
Seth Arnold <seth.arnold at canonical.com> wrote:
> - ./drivers/net/virtio/virtio_ethdev.c virtio_set_multiple_queues() calls
> virtio_send_command(), which performs:
> memcpy(vq->virtio_net_hdr_mz->addr, ctrl, sizeof(struct virtio_pmd_ctrl));
> This copies a potentially huge amount of uninitialized data into ->addr
> because the struct virtio_pmd_ctrl ctrl was not zeroed before being
> passed. How much of this data leaves the system? Does this require a
> CVE?
This is not really a security issue.
The guest (virtio) has to trust the host to follow the protocol.
If the host is malicious there are far worse things it can do.
In this case. The onstack variabl ctrl is only partially initialized
but only partially used. The hdr part (virtio_net_ctrl_hdr) is fully
initialized, and status is set to 0 in virtio_send_command.
Although partially unitialized data is copied into region shared with host,
only the first part is actually referenced by the ring element:
vq->vq_ring.desc[head].flags = VRING_DESC_F_NEXT;
vq->vq_ring.desc[head].addr = vq->virtio_net_hdr_mz->phys_addr;
vq->vq_ring.desc[head].len = sizeof(struct virtio_net_ctrl_hdr);
Therefore it is not a real problem.
