Skip to content

fix(vsock): packet/credit/dump validation from security audit#943

Merged
sgrams merged 1 commit into
intel:mainfrom
MichalTarnacki:fix/impl-bugs-vsock
Jul 9, 2026
Merged

fix(vsock): packet/credit/dump validation from security audit#943
sgrams merged 1 commit into
intel:mainfrom
MichalTarnacki:fix/impl-bugs-vsock

Conversation

@MichalTarnacki

@MichalTarnacki MichalTarnacki commented Jul 7, 2026

Copy link
Copy Markdown
Contributor
# Assessed Severity Bug Call Chain / Location Fix Classification Disposition Reason
1 Medium vsock Packet::check validates header len but not data_len vs buffer -> check In check(), require HEADER_LEN+data_len()<=buf.len(); return Err otherwise. true_positive
2 Low vsock credit counters rx_cnt/tx_cnt unchecked u32 add (wrap) -> recv_packet_connected Use wrapping_add intentionally per virtio-vsock spec, but move rx_cnt update AFTER data_len<=recv.len() check. true_positive
3 Low Slice index panic on VMM-controlled response length: Response::new() (vmcall.rs: Review the finding context and add appropriate input validation or guard checks. weakness The reply.data()[0], reply.data()[1], and reply.data()[4..12] accesses can panic if the VMM returns a response with length == 24 (valid per Response::new() but leaving data() empty). The impact is exclusively a panic (DoS). The response buffer resides in shared memory fully controlled by the VMM, which already has unlimited DoS capability over MigTD through scheduling denial, VMCALL non-response, or simply returning VMCALL_STATUS_RESERVED indefinitely.

Comment thread src/devices/vsock/src/transport/vmcall.rs Outdated
Comment thread src/devices/vsock/src/transport/vmcall.rs Outdated
@sgrams

sgrams commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Can you please rebase this PR?

@MichalTarnacki MichalTarnacki force-pushed the fix/impl-bugs-vsock branch 3 times, most recently from b897822 to 9003f67 Compare July 8, 2026 09:49
@MichalTarnacki

Copy link
Copy Markdown
Contributor Author

rebased

@MichalTarnacki MichalTarnacki requested a review from sgrams July 8, 2026 09:50
- Packet::check validate data_len vs buffer
- rx_cnt update after data_len<=recv.len() check
- Response::new() guard slice index on VMM response length

Signed-off-by: Michal Tarnacki <[email protected]>
Co-authored-by: GitHub Copilot <[email protected]>
@sgrams sgrams merged commit 251a043 into intel:main Jul 9, 2026
61 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants