On Fri, Jun 26, 2026 at 06:32:24AM -0400, Michael S. Tsirkin wrote: > On Fri, Jun 26, 2026 at 10:43:05AM +0100, Daniel P. Berrangé wrote: > > On Thu, Jun 25, 2026 at 06:56:05PM +0200, Mauro Matteo Cascella wrote: > > > On Mon, Jun 22, 2026 at 6:30 PM Daniel P. Berrangé <[email protected]> > > > wrote: > > > > > > > > On Mon, Jun 22, 2026 at 06:11:44PM +0200, Laurent Vivier wrote: > > > > > A malicious guest can craft virtqueue descriptors with arbitrary > > > > > lengths. > > > > > control_out() calls iov_size() on the guest-supplied scatter-gather > > > > > list > > > > > and passes the result directly to g_malloc(), allowing a guest to > > > > > force > > > > > QEMU to attempt multi-gigabyte allocations and crash the host process. > > > > > > > > > > Fix this by copying at most sizeof(struct virtio_console_control) > > > > > into a > > > > > stack-local variable instead of allocating a buffer sized by the > > > > > guest. > > > > > handle_control_message() only accesses the fixed-size id, event, and > > > > > value fields, so no data beyond the struct was ever needed. > > > > > > > > Does anyone have thoughts on whether we should treat guest initiated > > > > unbounded allocs as a security issue ? > > > > > > > > IIUC, this flaw would require root in the guest OS in order to craft > > > > the malicious virtqueue descriptors. > > > > > > > > A self-initiated crash triggered by root would not historically > > > > be enough justification for CVE. We would require it to be triggered > > > > by unprivileged user. > > > > > > > > Nested virt with device assignment could change that equation though > > > > as the L2 guest could be considered an unpriv user from the L1 POV. > > > > > > > > Also in theory the large alloc might be large enough to consume all > > > > host RAM but not large enough to trigger OOM kill of QEMU. This might > > > > impact operation of other co-located VMs on the same host. > > > > > > > > Anyone think this is bad enough to justify a CVE ? Or should we treat > > > > these OOM scenarios maerely as "hardening" bugs, where they require > > > > 'root' in the L1 guest ? > > > > > > I'd lean toward classifying these as hardening bugs. I don't see the > > > point in assigning Low CVEs to these kinds of issues nowadays. Under > > > current vulnerability management standards, they would definitely be > > > pushed down the priority list and likely skipped or deferred. > > > > Ok, so lets apply as a general rule that all OOM bugs which require > > privileged access in the guest are not assigned CVEs. > > > > An unprivileged guest exploit would be more significant so still > > potentially in scope. > > I'd love to have a document where all this is written up, though.
We should add these rules to our main security.rst file in git. where we describe the virt vs non-virt use cases. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
