While reviewing the vhost crate, it was found that the function VHostUserHandler::set_vring_base() lacks validation of the input parameter index, which is used for indexing an internal vector and could potentially lead to a Out-of-Bounds write resulting in an application panic. The below listing depicts the vulnerable code segment.
impl<S, V, B> VhostUserBackendReqHandlerMut for VhostUserHandler<S, V, B>
where
S: VhostUserBackend<V, B>,
V: VringT<GM<B>>,
B: NewBitmap + Clone,
{
// [...]
fn set_vring_base(&mut self, index: u32, base: u32) -> VhostUserResult<()> {
let event_idx: bool = (self.acked_features & (1 << VIRTIO_RING_F_EVENT_IDX)) != 0;
self.vrings[index as usize].set_queue_next_avail(base as u16);
self.vrings[index as usize].set_queue_event_idx(event_idx);
self.backend.set_event_idx(event_idx);
Ok(())
}
}
X41 advises performing thorough input parameter validation to prevent any possibility of encountering potential Out-of-Bounds read/writes.
From @y-x41
While reviewing the vhost crate, it was found that the function VHostUserHandler::set_vring_base() lacks validation of the input parameter index, which is used for indexing an internal vector and could potentially lead to a Out-of-Bounds write resulting in an application panic. The below listing depicts the vulnerable code segment.
X41 advises performing thorough input parameter validation to prevent any possibility of encountering potential Out-of-Bounds read/writes.