Security vulnerabilities and automated fixes for virtualization issues
3 posts found
A critical buffer overflow vulnerability was discovered in `machine.virt/system/libs/arch_virt/src/virtio.c`, where four `memcpy` calls used length values sourced directly from guest-controlled virtio queue descriptor rings without validating them against the destination buffer size. An attacker operating a malicious guest VM could supply an oversized length (e.g., `0xFFFFFFFF`) to corrupt adjacent host heap memory, including function pointers and heap metadata. The fix introduces an explicit bo
A medium-severity vulnerability in `src/ddma.c` allowed a malicious guest OS to program DMA controllers with unconstrained transfer sizes and addresses, potentially enabling guest-to-host memory access in an emulated environment. The fix introduces strict bounds validation to ensure all DMA transfers stay within allocated memory regions, closing a dangerous path to host memory disclosure and corruption.
A critical out-of-bounds memory read vulnerability was discovered and patched in a RISC-V emulator's MMU address translation logic, where insufficient bounds validation in `mmu_ifetch` allowed malicious guest programs to read arbitrary host process memory. This class of vulnerability represents one of the most dangerous bugs in virtualization and emulation software, as it breaks the fundamental isolation boundary between guest and host. The fix reinforces address validation before any memory acc