193 - netkvm.sys (RedHat virtio driver) BSoD on malformed IPv4 packet - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ scvitti@google.com Last visit > 30 days ago
Closed:	Jan 2015
Cc:	project-...@google.com
Product-netkvm Vendor-RedHat Deadline-90 Fuzzer-ProtonPack Severity-medium Reported-2014-Nov-21 CCProjectZeroMembers Finder-scvitti

netkvm.sys (RedHat virtio driver) BSoD on malformed IPv4 packet

Project Member Reported by scvitti@google.com, Nov 21 2014

Back to list

When running a Windows 7 x64 SP1 system in QEMU the virtio NIC (netkvm.sys) will fault with a malformed IPv4 packet where IHL is set to 6 (i.e. options are included for a total packet length > 20 bytes) but the total length field is set to 20 bytes. That is to say that the IPv4 packets starts with 0x46000014. PCAP PoC is attached.

reading from file singlepkt-crash.pcap, link-type EN10MB (Ethernet)
15:04:10.451386 IP bad-len 20
        0x0000:  4600 0014 c8c9 0000 1706 9991 00e2 eea4  F...............
        0x0010:  5103 0000 0000 0000 0000 0000 0000 0000  Q...............
        0x0020:  0000 0000 0000 0000 0000                 ..........


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

singlepkt-crash.pcap
96 bytes Download

Project Member Comment 1 by scvitti@google.com, Jan 7 2015

Status: Fixed

Project Member Comment 2 by scvitti@google.com, Jan 8 2015

Labels: -Restrict-View-Commit

Project Member Comment 3 by scvitti@google.com, Jan 12 2015

Link to github page with fix: https://github.com/YanVugenfirer/kvm-guest-drivers-windows/commit/723416fa4210b7464b28eab89cc76252e6193ac1

Project Member Comment 4 by scvitti@google.com, Jan 13 2015

Labels: -Reported-Nov-21 Reported-2014-Nov-21

► Sign in to add a comment