Virtio-win Buffer Overrun Vulnerability in Unmap Request Handling Leading to Denial-of-Service

A buffer overrun vulnerability has been identified in virtio-win, specifically within the `RhelDoUnMap()` function. This vulnerability arises because the function fails to properly validate the number of descriptors provided by users during unmap requests. A local user could exploit this flaw by sending an excessive number of descriptors, causing a buffer overrun that leads to a system crash and a denial-of-service condition. This issue affects Windows guests running on Red Hat Enterprise Linux.

Impact

Exploitation of this vulnerability causes a system crash, leading to a denial-of-service condition on the affected system.

Reproduction

The vulnerability can be reproduced by sending an unmap request with a large number of descriptors, exceeding the expected limit. This can be done by manipulating the `BlockDescrCount` value in the user buffer to advertise support for more segments than the `RhelDoUnMap()` function can safely handle, which can trigger the buffer overrun and cause a crash.

Remediation

Users can upgrade to the latest version of virtio-win, where this vulnerability has been fixed. Red Hat customers can also open a support case to request a prioritization of this issue.