CVE-2021-36143

Vulnerability

ACRN before version 2.5 contains a NULL pointer dereference vulnerability in the vq_endchains function within hw/pci/virtio/virtio.c. The function lacks validation of its input parameters, specifically the vq pointer and the vq->used member, which can be NULL. When vq_endchains is called with a NULL vq or vq->used, the code dereferences these pointers without checking, leading to a crash. This affects versions prior to the commit [1] that introduced checks.

Exploitation

An attacker must be able to cause the vq_endchains function to be called with a NULL vq pointer or a vq where vq->used is NULL. This could be achieved by sending crafted virtio requests or manipulating device state in the device model (DM). The attacker does not require authentication if they can interact with the ACRN device model through malicious I/O operations. The exact sequence of steps involves triggering a code path that leads to an uninitialized or corrupted virtio queue state.

Impact

Successful exploitation results in a NULL pointer dereference leading to a denial of service (DoS) by causing the ACRN device model to crash. This can disrupt the hypervisor's operation and potentially affect guest virtual machines relying on the device model. No information disclosure or privilege escalation is indicated in the available references.

Mitigation

The vulnerability is fixed in ACRN version 2.5 and later. The fix was implemented in commit [1] which adds input validation to vq_endchains, returning early if vq or vq->used is NULL. Users should update to ACRN 2.5 or apply the patch from commit 154fe59531c12b82e26d1b24b5531f5066d224f5. No workarounds are documented in the references.