Virtio-Win VirtIO Block Device Use-After-Free Vulnerability Leading to Memory Corruption

A use-after-free vulnerability has been identified in the VirtIO Block (BLK) device of virtio-win. This flaw occurs when the device is reset, as it improperly handles memory management. A local attacker could exploit this vulnerability to corrupt system memory, potentially causing system instability or unexpected behavior.

Impact

Exploitation of this vulnerability can lead to memory corruption, allowing a local attacker to cause system instability or unexpected behavior. According to Red Hat, this vulnerability could also be exploited to execute unauthorized code or commands.

Reproduction

The vulnerability can be reproduced by performing a full VirtIO reset and initialization flow on the VirtIO BLK device. This process involves resetting the VirtIO device, deleting VirtIO queues, cleaning up all device memory, completing all pending requests in the guest operating system, and then reinitializing the VirtIO device. However, this reset process can inadvertently cause a use-after-free condition, as the memory being freed may still be in use by the device, leading to potential memory corruption.

Remediation

A fix for this vulnerability has been implemented and is available in the latest version of the virtio-win KVM guest drivers for Windows.