Linux Kernel virtio-pci Admin Command Completion Oversized Result Size Vulnerability

A vulnerability in the Linux kernel's virtio-pci implementation has been addressed, concerning the admin command completion result size. The function virtio_pci_admin_dev_parts_get() was returning a result size that was 8 bytes larger than the actual data size. This discrepancy arose because the result_sg_size field was populated with the length from virtqueue_get_buf(), which included both the data size and an additional 8 bytes for status. This oversized result size led to two main issues: it appended 8 extra bytes of data to the transferred state, and it risked reading beyond the bounds of allocated buffers in the kernel, potentially causing failures. The vulnerability has been resolved by adjusting the result size to exclude the status bytes, and the fix has been validated through live migrations using virtio-net, virtio-net-transitional, and virtio-blk devices.

Impact

The vulnerability could cause buffer over-read issues, where the kernel might read beyond the allocated memory, leading to potential memory corruption or other unintended behavior.