Reported

September 1, 2023

Issued

September 6, 2023

Package

vm-memory (crates.io)

Type

INFO Unsound

Categories

• memory-exposure

Aliases

• CVE-2023-41051
• GHSA-49hh-fprx-m68g

References

• https://github.com/rust-vmm/vm-memory/issues/250
• https://github.com/rust-vmm/vm-memory/commit/aff1dd4a5259f7deba56692840f7a2d9ca34c9c8

CVSS Score

2.5 LOW

CVSS Details

Attack vector

Local

Attack complexity

High

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Patched

• >=0.12.2

Affected Functions

Version

vm_memory::volatile_memory::VolatileMemory::aligned_as_mut

• <0.12.2

vm_memory::volatile_memory::VolatileMemory::aligned_as_ref

• <0.12.2

vm_memory::volatile_memory::VolatileMemory::get_array_ref

• <0.12.2

vm_memory::volatile_memory::VolatileMemory::get_atomic_ref

• <0.12.2

vm_memory::volatile_memory::VolatileMemory::get_ref

• <0.12.2

Description

An issue was discovered in the default implementations of the VolatileMemory::{get_atomic_ref, aligned_as_ref, aligned_as_mut, get_ref, get_array_ref} trait functions, which allows out-of-bounds memory access if the VolatileMemory::get_slice function returns a VolatileSlice whose length is less than the function’s count argument. No implementations of get_slice provided in vm_memory are affected. Users of custom VolatileMemory implementations may be impacted if the custom implementation does not adhere to get_slice's documentation.

The issue started in version 0.1.0 but was fixed in version 0.12.2 by inserting a check that verifies that the VolatileSlice returned by get_slice is of the correct length.

Advisory available under CC0-1.0 license.