rustsec-2024-0428
Vulnerability from osv_rustsec
An issue was identified in the VmFd::create_device function, leading to undefined behavior and miscompilations on rustc 1.82.0 and newer due to the function's violation of Rust's pointer safety rules.
The function downcasted a mutable reference to its struct kvm_create_device argument to an immutable pointer, and then proceeded to pass this pointer to a mutating system call. Rustc 1.82.0 and newer elides subsequent reads of this structure's fields, meaning code will not see the value written by the kernel into the fd member. Instead, the code will observe the value that this field was initialized to prior to calling VmFd::create_device (usually, 0).
The issue started in kvm-ioctls 0.1.0 and was fixed in 0.19.1 by correctly using a mutable pointer.
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"kvm_ioctls::ioctls::vm::VmFd::create_device"
],
"os": [
"linux"
]
}
},
"package": {
"ecosystem": "crates.io",
"name": "kvm-ioctls",
"purl": "pkg:cargo/kvm-ioctls"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.19.1"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-3qx8-rv27-j6gp"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "An issue was identified in the `VmFd::create_device function`, leading to undefined behavior and miscompilations on rustc 1.82.0 and newer due to the function\u0027s violation of Rust\u0027s pointer safety rules.\n\nThe function downcasted a mutable reference to its `struct kvm_create_device` argument to an immutable pointer, and then proceeded to pass this pointer to a mutating system call. Rustc 1.82.0 and newer elides subsequent reads of this structure\u0027s fields, meaning code will not see the value written by the kernel into the `fd` member. Instead, the code will observe the value that this field was initialized to prior to calling `VmFd::create_device` (usually, 0).\n\nThe issue started in kvm-ioctls 0.1.0 and was fixed in 0.19.1 by correctly using\na mutable pointer.",
"id": "RUSTSEC-2024-0428",
"modified": "2025-10-28T06:02:18Z",
"published": "2024-12-05T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/kvm-ioctls"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0428.html"
},
{
"type": "WEB",
"url": "https://github.com/rust-vmm/kvm/pull/298"
}
],
"related": [],
"severity": [],
"summary": "Undefined behaviour in `kvm_ioctls::ioctls::vm::VmFd::create_device`"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.