Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Moby HyperKit uninitialized memory use in virtio-sock pci_vtsock_proc_tx
Vulnerability Description
HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107, function `pci_vtsock_proc_tx` in `virtio-sock` can lead to to uninitialized memory use. In this situation, there is a check for the return value to be less or equal to `VTSOCK_MAXSEGS`, but that check is not sufficient because the function can return `-1` if it finds an error it cannot recover from. Moreover, the negative return value will be used by `iovec_pull` in a while condition that can further lead to more corruption because the function is not designed to handle a negative `iov_len`. This issue may lead to a guest crashing the host causing a denial of service and, under certain circumstance, memory corruption. This issue is fixed in commit af5eba2360a7351c08dfd9767d9be863a50ebaba.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Vulnerability Type
对未经初始化资源的使用
Vulnerability Title
HyperKit 代码问题漏洞
Vulnerability Description
HyperKit是Moby开源的一个用于在应用程序中嵌入虚拟机监控程序功能的工具包。 HyperKit 0.20210107及之前版本存在安全漏洞,该漏洞源于`virtio-sock` 中的函数 `pci_vtsock_proc_tx` 会导致未初始化的内存使用,攻击者利用该漏洞可以使主机崩溃,从而导致拒绝服务,并且在某些情况下会导致内存损坏。
CVSS Information
N/A
Vulnerability Type
N/A