CVE-2021-45464 - KVMtool Out-of-Bounds Write Vulnerability Allowing Guest OS Users to Execute Arbitrary Code on Host Machines

CVE-2021-45464 is a recent security vulnerability discovered in the KVMtool (Kernel-based Virtual Machine tool) through commit 39181fc. This vulnerability allows an out-of-bounds write in the KVMtool, specifically related to the files virtio/balloon.c and virtio/pci.c. Exploiting this vulnerability, a malicious guest OS user can execute arbitrary code on the host machine, potentially gaining unauthorized access to the system and compromising its security.

Exploit Details

The issue occurs when an out-of-bounds write occurs in the KVMtool during the memory allocation process. The out-of-bounds write is related to the handling of the virtio balloon device and the virtio PCI configuration. The critical part of the code resides in the files virtio/balloon.c and virtio/pci.c.

Here is a snippet of the vulnerable code in kvmtool

/* virtio/balloon.c */
void virtio_balloon(struct kvm *kvm)
{
...
	kvm->virtio_devices[dev].ops->get_config(kvm, dev, &config);
...
}
/* virtio/pci.c */
u8 virtio_pci__get_config_byte(struct kvm *kvm, struct virt_device *vdev, u32 offset)
{
	offset += offsetof(struct virtio_pci_common_cfg, config);

	return *((u8 *)vdev + offset);
}

When the balloon device is created, KVMtool incorrectly calculates the memory size, leading to the out-of-bounds write. Guest OS users can then create an arbitrary memory write on the host system by providing a specially crafted PCI configuration. This can be used to execute arbitrary code on the host system or lead to a crash of the host, potentially causing a denial of service.

Original References

1. Patch for KVMtool
2. Linux Kernel Mailing List - Patch Submission
3. KVMtool Source Code

Mitigation

To mitigate this vulnerability, users should upgrade to the latest KVMtool version, which includes the patch that fixes this issue. In addition, system administrators should monitor their systems for any signs of unauthorized access, particularly on systems running virtual machines with untrusted guest OSes.

Conclusion

CVE-2021-45464 is a critical vulnerability in the KVMtool that could allow a malicious guest OS user to execute arbitrary code on the host machine. By exploiting this out-of-bounds write vulnerability, an attacker could potentially gain unauthorized access to the system and compromise its security. It's essential for users to upgrade to the latest KVMtool version to mitigate this threat and maintain the safety of their systems.

Timeline

Published on: 04/15/2023 23:15:00 UTC
Last modified on: 04/26/2023 14:46:00 UTC