CVE-2024-8612

Overview

A flaw in QEMU's virtio-scsi, virtio-blk, and virtio-crypto devices allows an information leak. The functions virtio_scsi_complete_req, virtio_blk_req_complete, and virtio_crypto_req_complete set the size parameter for virtqueue_push to a value larger than the actual data transmitted to the guest [1][3]. This discrepancy causes dma_memory_unmap to later write back more data than intended from the bounce buffer, including uninitialized memory regions [1][3].

Exploitation

An attacker would need to be able to trigger completion of I/O requests on the affected virtio devices within a guest VM. No special privileges outside the guest are required, but the attacker must be running code inside the VM that can interact with the virtio devices. The flaw is present in the data path where bounce buffers are used for DMA operations; when the unmap operation writes back the inflated size, stale or uninitialized data from the bounce buffer may be included [1][3].

Impact

Successful exploitation results in the guest VM receiving data beyond the intended I/O response. This extra data may contain fragments of host memory or other sensitive information, leading to an information leak from the host to an unprivileged guest [1][3]. The leak is limited to the contents of the bounce buffer and does not directly enable code execution or privilege escalation.

Mitigation

A commit upstream addresses the issue by refining bounce buffer handling and enforcing proper size limits [2]. Users are advised to update QEMU to a version containing this fix. As of publication, no workaround has been provided, and the vulnerability is not listed as exploited in KEV [1][3].