harden(balloon): bound stats descriptor length

Backports upstream firecracker PR firecracker-microvm#5794 (commit 1689689). Adds a
MAX_STATS_DESC_LEN (256 stat tags = 2560 bytes) cap on the stats
descriptor processed by process_stats_queue(). Pre-fix, a guest
could submit a descriptor with arbitrarily large `head.len`,
causing the inner loop `for index in (0..head.len).step_by(...)`
to iterate billions of times and stall the VMM event loop.

No CVE was assigned upstream; AWS classifies this as a host DoS
hardening rather than a security advisory.

Operationally, SAFE microVMs do not attach a balloon device, so
the unfixed code path is unreachable in our deployment. This is
defence-in-depth for any future config that does attach one.

Cherry-picked cleanly from upstream's source-code diff with two
mechanical adaptations for v1.6.5:
  - drop the unrelated CHANGELOG hunk;
  - drop the second 'interrupt' argument from balloon.activate()
    in the new test (added in upstream's later refactor) and
    explicitly import the warn! macro that this module did not
    yet pull in.

(cherry picked from commit 1689689f0a31f9b1107c01ae9c6ed5b6f110050e)

Author: libre-man

src/vmm/src/devices/virtio/balloon/device.rs

@@ -7,7 +7,7 @@ use std::sync::Arc;
 use std::time::Duration;
 use std::{cmp, fmt};
 
-use log::error;
+use log::{error, warn};
 use serde::Serialize;
 use timerfd::{ClockId, SetTimeFlags, TimerFd, TimerState};
 use utils::eventfd::EventFd;
@@ -35,6 +35,16 @@ use crate::vstate::memory::{Address, ByteValued, Bytes, GuestAddress, GuestMemor
 
 const SIZE_OF_U32: usize = std::mem::size_of::<u32>();
 const SIZE_OF_STAT: usize = std::mem::size_of::<BalloonStat>();
+/// Upper bound on the number of stats tags a guest may report.
+/// The VirtIO spec currently defines 16, but newer kernel versions can
+/// add more (e.g. Linux 6.12 added several, see 74c025c5d7e4). We use a
+/// generous limit that still bounds computation without breaking on future
+/// kernels.
+const MAX_STATS_TAGS: u32 = 256;
+/// Maximum valid stats descriptor length in bytes.
+/// Descriptors exceeding this are rejected to prevent unbounded iteration.
+#[allow(clippy::cast_possible_truncation)]
+const MAX_STATS_DESC_LEN: u32 = MAX_STATS_TAGS * std::mem::size_of::<BalloonStat>() as u32;
 
 fn mib_to_pages(amount_mib: u32) -> Result<u32, BalloonError> {
     amount_mib
@@ -410,6 +420,21 @@ impl Balloon {
                     .add_used(mem, prev_stats_desc, 0)
                     .map_err(BalloonError::Queue)?;
             }
+
+            // Reject oversized descriptors to prevent a guest from causing
+            // excessive iteration on the VMM event loop.
+            // We still hold onto the descriptor (via stats_desc_index below)
+            // so that the stats request/response protocol is preserved and
+            // trigger_stats_update can return it to the guest later.
+            if head.len > MAX_STATS_DESC_LEN {
+                warn!(
+                    "balloon: stats descriptor too large: {} > {}, skipping",
+                    head.len, MAX_STATS_DESC_LEN
+                );
+                self.stats_desc_index = Some(head.index);
+                continue;
+            }
+
             for index in (0..head.len).step_by(SIZE_OF_STAT) {
                 // Read the address at position `index`. The only case
                 // in which this fails is if there is overflow,
@@ -1162,4 +1187,71 @@ pub(crate) mod tests {
         assert_eq!(balloon.num_pages(), 0x1122_3344);
         assert_eq!(balloon.actual_pages(), 0x1234_5678);
     }
+
+    /// Test that process_stats_queue holds oversized descriptors without
+    /// updating stats, and updates stats for valid-length ones.
+    #[test]
+    fn test_stats_queue_oversized_descriptor_rejected() {
+        struct TestCase {
+            desc_len: u32,
+            stats_updated: bool,
+        }
+
+        let cases = [
+            TestCase {
+                desc_len: MAX_STATS_DESC_LEN + 1,
+                stats_updated: false,
+            },
+            TestCase {
+                desc_len: MAX_STATS_DESC_LEN,
+                stats_updated: true,
+            },
+        ];
+
+        let stat_addr: u64 = 0x1000;
+
+        for tc in &cases {
+            let mut balloon = Balloon::new(0, true, 1, false, false).unwrap();
+            let mem = default_mem();
+            let statsq = VirtQueue::new(GuestAddress(0), &mem, 16);
+            balloon.set_queue(INFLATE_INDEX, statsq.create_queue());
+            balloon.set_queue(DEFLATE_INDEX, statsq.create_queue());
+            balloon.set_queue(STATS_INDEX, statsq.create_queue());
+            balloon.activate(mem.clone()).unwrap();
+
+            // Fill the descriptor region with a recognisable stat value.
+            let n_stats = tc.desc_len as usize / SIZE_OF_STAT;
+            for i in 0..n_stats {
+                mem.write_obj::<BalloonStat>(
+                    BalloonStat {
+                        tag: VIRTIO_BALLOON_S_MEMFREE,
+                        val: 0xBEEF,
+                    },
+                    GuestAddress(stat_addr + (i * SIZE_OF_STAT) as u64),
+                )
+                .unwrap();
+            }
+
+            set_request(&statsq, 0, stat_addr, tc.desc_len, VIRTQ_DESC_F_NEXT);
+            balloon.queue_events()[STATS_INDEX].write(1).unwrap();
+            balloon.process_stats_queue_event().unwrap();
+
+            // The descriptor should always be held (stats protocol preserved)
+            // regardless of whether the stats were updated.
+            assert!(
+                balloon.stats_desc_index.is_some(),
+                "desc_len={}: descriptor should be held",
+                tc.desc_len,
+            );
+
+            // Verify stats were only updated for valid descriptors.
+            assert_eq!(
+                balloon.latest_stats.free_memory.is_some(),
+                tc.stats_updated,
+                "desc_len={}: expected stats_updated={}",
+                tc.desc_len,
+                tc.stats_updated,
+            );
+        }
+    }
 }