Bug 2304289 (CVE-2024-7730) - CVE-2024-7730 qemu-kvm: virtio-snd: heap buffer overflow in virtio_snd_pcm_in_cb()
Summary: CVE-2024-7730 qemu-kvm: virtio-snd: heap buffer overflow in virtio_snd_pcm_in...
Keywords:
Status: NEW
Alias: CVE-2024-7730
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2304291
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-13 09:50 UTC by Mauro Matteo Cascella
Modified: 2024-08-30 12:53 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2024-08-13 09:50:08 UTC
When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit the data buffer. This is because we use the buffer->size field as a total-so-far accumulator instead of byte-size-left like in TX buffers.

This triggers an out of bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero. This commit adds a check for reaching the maximum buffer size before attempting any writes.

Reference:
https://lore.kernel.org/qemu-devel/virtio-snd-fuzz-2427-fix-v1-manos.pitsidianakis@linaro.org/

Upstream issue:
https://gitlab.com/qemu-project/qemu/-/issues/2427

Upstream fix:
https://gitlab.com/qemu-project/qemu/-/commit/98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3


Note You need to log in before you can comment on or make changes to this bug.