N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-3qx8-rv27-j6gp

EPSS Score

CWE

CWE-843

Published

12/23/2024

Updated

12/23/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-3qx8-rv27-j6gp

GHSA-3qx8-rv27-j6gp: Undefined behaviour in `kvm_ioctls::ioctls::vm::VmFd::create_device`

An issue was identified in the VmFd::create_device function, leading to undefined behavior and miscompilations on rustc 1.82.0 and newer due to the function's violation of Rust's pointer safety rules.

The function downcasted a mutable reference to its struct kvm_create_device argument to an immutable pointer, and then proceeded to pass this pointer to a mutating system call. Rustc 1.82.0 and newer elides subsequent reads of this structure's fields, meaning code will not see the value written by the kernel into the fd member. Instead, the code will observe the value that this field was initialized to prior to calling VmFd::create_device (usually, 0).

The issue started in kvm-ioctls 0.1.0 and was fixed in 0.19.1 by correctly using a mutable pointer.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-3qx8-rv27-j6gp

EPSS Score

CWE

CWE-843

Published

12/23/2024

Updated

12/23/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
kvm-ioctls	rust	< 0.19.1	0.19.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly names VmFd::create_device as the affected function. The GitHub PR #298 shows the fix was changing from ioctl_with_ref to ioctl_with_mut_ref in vm.rs, confirming the location. The root cause matches CWE-843 (type confusion between mutable/immutable pointers) and aligns with the described undefined behavior pattern in Rust pointer handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s i**nti*i** in t** `Vm**::*r**t*_**vi** *un*tion`, l***in* to un***in** ****vior *n* mis*ompil*tions on rust* *.**.* *n* n*w*r *u* to t** *un*tion's viol*tion o* Rust's point*r s***ty rul*s. T** *un*tion *own**st** * mut**l* r***r*n** to

Reasoning

T** vuln*r**ility **s*ription *xpli*itly n*m*s Vm**::*r**t*_**vi** *s t** *****t** *un*tion. T** *it*u* PR #*** s*ows t** *ix w*s ***n*in* *rom io*tl_wit*_r** to io*tl_wit*_mut_r** in vm.rs, *on*irmin* t** lo**tion. T** root **us* m*t***s *W*-*** (ty

N/A

Basic Information

Concerned about an active attack path?

GHSA-3qx8-rv27-j6gp: Undefined behaviour in `kvm_ioctls::ioctls::vm::VmFd::create_device`

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI