CVE-2021-36148

Vulnerability

CVE-2021-36148 is a buffer overflow in the ACRN hypervisor's dmar_free_irte function, located in hypervisor/arch/x86/vtd.c. The function is used when freeing interrupt remapping table entries for PCI devices and IOAPIC interrupts. In versions before 2.5, dmar_free_irte did not validate that the index parameter (the interrupt remapping table entry index) is less than CONFIG_MAX_IR_ENTRIES. The fix adds a boundary check (index < CONFIG_MAX_IR_ENTRIES) before accessing the interrupt remapping table (IRTE) bitmap. The vulnerability was introduced because a prior change removed the index validation from the caller ptirq_free_irte, leaving dmar_free_irte with an unchecked index [1].

Exploitation

An attacker with the ability to control or influence the irte_idx field of a ptirq_remapping_info structure (for example, via crafted PCI device assignment or IOAPIC manipulation inside a VM) could supply an index value that exceeds CONFIG_MAX_IR_ENTRIES. This permits out-of-bounds writes to the irte_alloc_bitmap and possibly the ir_table array in kernel memory. The attacker would need some level of control over interrupt remapping configuration, likely requiring a compromised or malicious virtual machine or physical access to a management interface [1].

Impact

Successful exploitation of this buffer overflow can lead to memory corruption, potentially allowing an attacker to escalate privileges from a VM to the hypervisor level or cause a denial of service (system crash). The overflow could overwrite adjacent data structures in the hypervisor's address space, potentially enabling arbitrary code execution at the highest privilege level (VMX root mode) [1].

Mitigation

The issue is fixed in ACRN version 2.5 and later. The commit [1] (25c0e3817eb332660dd63d1d4522e63dcc94e79a) adds the missing boundary check. Users should update to ACRN 2.5 or apply the patch. No workaround is documented. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].