In December, we hosted a CTF where one of the challenges was exploiting any "0day" bug in kvmtool [1]. Eight teams managed to find a bug and exploit it in less than 36 hours. Write-ups for exploits are available by HXP [2] and kalmarunionen [3]. Now, I'm aware that kvmtool is mostly used for KVM testing and KVM bring-up in simulation environments. But since it does get mentioned in some security- related projects [4, 5] and has a sandboxing feature, maybe it makes sense to fix these bugs. Could you please check if these patches make sense? I have not verified that these patches do not break something for these virtio drivers. Kind regards, Martin [1]: https://2021.ctf.link/internal/challenge/dd0e8826-c970-4fde-8eeb-41a9d8a86b67/ [2]: https://hxp.io/blog/87/hxp-CTF-2021-indie_vmm-writeup/ [3]: https://www.kalmarunionen.dk/writeups/2021/hxp-2021/lkvm/ [4]: https://blog.quarkslab.com/no-tears-no-fears.html [5]: https://fly.io/blog/sandboxing-and-workload-isolation/ Martin Radev (5): virtio: Sanitize config accesses virtio: Check for overflows in QUEUE_NOTIFY and QUEUE_SEL virtio/net: Warn if virtio_net is implicitly enabled Makefile: Mark stack as not executable mmio: Sanitize addr and len Makefile | 7 +++++-- include/kvm/virtio-9p.h | 1 + include/kvm/virtio.h | 3 ++- mmio.c | 4 ++++ virtio/9p.c | 21 ++++++++++++++++---- virtio/balloon.c | 8 +++++++- virtio/blk.c | 8 +++++++- virtio/console.c | 8 +++++++- virtio/mmio.c | 44 ++++++++++++++++++++++++++++++++++------- virtio/net.c | 11 ++++++++++- virtio/pci.c | 40 +++++++++++++++++++++++++++++++++---- virtio/rng.c | 8 +++++++- virtio/scsi.c | 8 +++++++- virtio/vsock.c | 8 +++++++- 14 files changed, 154 insertions(+), 25 deletions(-) -- 2.25.1
