oss-sec mailing list archives
kernel: low-severity vfio driver integer overflow
From: Vlad Tsyrklevich <vlad () tsyrklevich net>
Date: Thu, 27 Oct 2016 00:41:28 +0200
The vfio driver allows direct user access to devices. The VFIO_DEVICE_SET_IRQS ioctl for vfio PCI devices has a state machine confusion bug where specifying VFIO_IRQ_SET_DATA_NONE along with another bit in VFIO_IRQ_SET_DATA_TYPE_MASK in hdr.flags allows integer overflow checks to be skipped for hdr.start/hdr.count. This might allow memory corruption later in vfio_pci_set_msi_trigger() with user access to an appropriate vfio device file, but it seems difficult to usefully exploit in practice. https://patchwork.kernel.org/patch/9373631/
Current thread:
- kernel: low-severity vfio driver integer overflow Vlad Tsyrklevich (Oct 26)
- Re: kernel: low-severity vfio driver integer overflow - Linux kernel cve-assign (Oct 26)