GHSA-3qx8-rv27-j6gp

Suggest an improvement
Source
https://github.com/advisories/GHSA-3qx8-rv27-j6gp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-3qx8-rv27-j6gp/GHSA-3qx8-rv27-j6gp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3qx8-rv27-j6gp
Published
2024-12-23T19:26:37Z
Modified
2024-12-23T19:26:37Z
Summary
Undefined behaviour in `kvm_ioctls::ioctls::vm::VmFd::create_device`
Details

An issue was identified in the VmFd::create_device function, leading to undefined behavior and miscompilations on rustc 1.82.0 and newer due to the function's violation of Rust's pointer safety rules.

The function downcasted a mutable reference to its struct kvm_create_device argument to an immutable pointer, and then proceeded to pass this pointer to a mutating system call. Rustc 1.82.0 and newer elides subsequent reads of this structure's fields, meaning code will not see the value written by the kernel into the fd member. Instead, the code will observe the value that this field was initialized to prior to calling VmFd::create_device (usually, 0).

The issue started in kvm-ioctls 0.1.0 and was fixed in 0.19.1 by correctly using a mutable pointer.

Database specific
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-843"
    ],
    "github_reviewed_at": "2024-12-23T19:26:37Z",
    "github_reviewed": true
}
References

Affected packages

crates.io / kvm-ioctls

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.19.1