CVE-2021-32846— HyperKit 代码问题漏洞

Moby HyperKit uninitialized memory use in virtio-sock pci_vtsock_proc_tx

HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107, function `pci_vtsock_proc_tx` in `virtio-sock` can lead to to uninitialized memory use. In this situation, there is a check for the return value to be less or equal to `VTSOCK_MAXSEGS`, but that check is not sufficient because the function can return `-1` if it finds an error it cannot recover from. Moreover, the negative return value will be used by `iovec_pull` in a while condition that can further lead to more corruption because the function is not designed to handle a negative `iov_len`. This issue may lead to a guest crashing the host causing a denial of service and, under certain circumstance, memory corruption. This issue is fixed in commit af5eba2360a7351c08dfd9767d9be863a50ebaba.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

对未经初始化资源的使用

HyperKit 代码问题漏洞

HyperKit是Moby开源的一个用于在应用程序中嵌入虚拟机监控程序功能的工具包。 HyperKit 0.20210107及之前版本存在安全漏洞，该漏洞源于`virtio-sock` 中的函数 `pci_vtsock_proc_tx` 会导致未初始化的内存使用，攻击者利用该漏洞可以使主机崩溃，从而导致拒绝服务，并且在某些情况下会导致内存损坏。

N/A

N/A