Skip to content

fix(deps): apply security fixes to td-shim-AzCVMEmu#932

Open
MichalTarnacki wants to merge 1 commit into
intel:mainfrom
MichalTarnacki:fix/implementation-bugs-azcvmemu
Open

fix(deps): apply security fixes to td-shim-AzCVMEmu#932
MichalTarnacki wants to merge 1 commit into
intel:mainfrom
MichalTarnacki:fix/implementation-bugs-azcvmemu

Conversation

@MichalTarnacki

Copy link
Copy Markdown
Contributor
# Assessed Severity Bug Call Chain / Location Fix Classification Disposition Reason
1 Low tdcall_servtd_rebind_approve indexes target_td_uuid/token without length check -> tdcall_servtd_rebind_approve Use .get(..) and return Err on short slices. weakness The defect is real; the emulated tdcall_servtd_rebind_approve indexes target_td_uuid[0..3] and run copy_from_slice(&rebind_session_token[..32]) with no length check, so a slice shorter than 4 u64 or 32 bytes panics (CWE-248). But it is not an exploitable true positive. This is AzCVMEmu emulation code, outside the production TDX TCB — in the shipped product this call is a hardware TDCALL, and the production wrapper in tdx.rs:952-958 already validates both lengths (target_td_uuid.len() != 4 || rebind_session_token.len() != REBIND_SESSION_TOKEN_SIZE) and returns Err before any indexing.
2 Medium free_shared_pages: Box::from_raw with caller-supplied num -- Layout mismatch + ov -> free_shared_pages Store original Layout alongside allocation; dealloc with that. Return Err on overflow. weakness Split the finding into its two claims. The "panic on huge num" via checked_mul(num).expect() is a false positive: num is never attacker-chosen. It is derived internally as dma_size / PAGE_SIZE, and dma_size = align_up(buf.len()) where buf.len() is hard-capped at MAX_VSOCK_PKT_DATA_LEN (64 KiB) by the enqueue guard, so num ≤ 16 and 0x1000 * 16 cannot overflow usize. The huge-num path is mathematically unreachable.

The "Layout mismatch → heap UB" half is a real defect but only a weakness, not the T1/MUST-FIX it is labeled. Reconstructing the dealloc Box from the caller's num instead of the recorded allocation size is a genuine footgun in an unsafe fn, but it only bites if some caller frees with a different count than it allocated. No in-tree caller does that — every path (the vsock Allocator, and virtio_pci storing dma_size and freeing with dma_size / PAGE_SIZE) is self-consistent. Crucially, the VMM does not control the free num; it controls bounded packet contents/lengths, while the page count is internal allocation bookkeeping. So the "directly reachable from untrusted VMM / oob_write" tag is overstated. This is also emulation-only code (td-payload-emu), outside the production TDX TCB.
3 Low register_interrupt_callback truncates usize vector to u8 -> register_interrupt_callback Change parameter type to u8 or assert vector<256. weakness The vector parameter is always supplied by MigTD's own code (hardcoded interrupt vector constants passed to register_interrupt_callback), not by any external or VMM-controlled input. The truncation from usize to u8 is only dangerous if a caller passes a value ≥ 256, which no current caller does. The guard converts a hypothetical future misuse into a clean error return rather than silent index wraparound, but today the dangerous path is unreachable — making this defense-in-depth hardening, not remediation of an exploitable vulnerability.

@MichalTarnacki MichalTarnacki force-pushed the fix/implementation-bugs-azcvmemu branch 2 times, most recently from 0fc9afb to b476644 Compare July 6, 2026 08:01
Comment thread deps/td-shim-AzCVMEmu/td-payload-emu/src/arch/idt/mod.rs Outdated
- tdx_emu: add bounds checks in tdcall_servtd_rebind_approve for
  target_td_uuid and rebind_session_token slices
- idt: validate vector < 256 in register_interrupt_callback
- shared: replace Box::from_raw with Layout-based dealloc in
  free_shared_pages, add checked_mul overflow guard

Signed-off-by: Michal Tarnacki <[email protected]>
Co-authored-by: GitHub Copilot <[email protected]>
@MichalTarnacki MichalTarnacki force-pushed the fix/implementation-bugs-azcvmemu branch from b476644 to d243b83 Compare July 8, 2026 09:08
@MichalTarnacki MichalTarnacki requested a review from sgrams July 8, 2026 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants