harden(virtio-mmio): preserve cumulative status bits across transitions

libre-man · libre-man · commit 8ff4adfb1b99 · 2026-05-01T10:27:30.000+02:00
Backports the MMIO portion of upstream PR firecracker-microvm#5818 (commit 4a52198). Replaces the match on `!self.device_status & status` with an explicit VALID_TRANSITIONS table and equality check, so writes that drop previously-set bits (e.g. FEATURES_OK alone after the device is in state ACK | DRIVER | FEATURES_OK | DRIVER_OK) are rejected. This is *not* a fix for CVE-2026-5747. Per AWS security bulletin 2026-015, that CVE is specific to the virtio PCI transport, which is opt-in via --enable-pci and was added upstream in v1.13.0. Our fork is based on v1.6.5 and has no PCI transport, so the CVE itself does not apply. Upstream's PR firecracker-microvm#5818 included a parenthetical defensive hardening of the MMIO transport ("Note: virtio MMIO transport also didn't [enforce cumulative bits]") and that is what this commit backports — for consistency with upstream's stricter behaviour and defence-in-depth, not because of an active CVE. The upstream commit could not be cherry-picked cleanly because by v1.15.x the mmio transport lives at src/vmm/src/devices/virtio/ transport/mmio.rs, the activate() signature gained an interrupt argument, and the failure path uses DEVICE_NEEDS_RESET / VirtioInterruptType, none of which exist in v1.6.5. The control flow and the VALID_TRANSITIONS contents are deliberately kept identical to upstream so future audits can compare line-for-line.
diff --git a/src/vmm/src/devices/virtio/mmio.rs b/src/vmm/src/devices/virtio/mmio.rs
@@ -172,55 +172,58 @@ impl MmioTransport {
     #[allow(unused_assignments)]
     fn set_device_status(&mut self, status: u32) {
         use device_status::*;
-        // match changed bits
-        match !self.device_status & status {
-            ACKNOWLEDGE if self.device_status == INIT => {
-                self.device_status = status;
-            }
-            DRIVER if self.device_status == ACKNOWLEDGE => {
-                self.device_status = status;
+
+        const VALID_TRANSITIONS: &[(u32, u32)] = &[
+            (INIT, ACKNOWLEDGE),
+            (ACKNOWLEDGE, ACKNOWLEDGE | DRIVER),
+            (ACKNOWLEDGE | DRIVER, ACKNOWLEDGE | DRIVER | FEATURES_OK),
+            (
+                ACKNOWLEDGE | DRIVER | FEATURES_OK,
+                ACKNOWLEDGE | DRIVER | FEATURES_OK | DRIVER_OK,
+            ),
+        ];
+
+        if (status & FAILED) != 0 {
+            // TODO: notify backend driver to stop the device
+            self.device_status |= FAILED;
+        } else if status == INIT {
+            if self.locked_device().is_activated() {
+                let mut device_status = self.device_status;
+                let reset_result = self.locked_device().reset();
+                match reset_result {
+                    Some((_interrupt_evt, mut _queue_evts)) => {}
+                    None => {
+                        device_status |= FAILED;
+                    }
+                }
+                self.device_status = device_status;
             }
-            FEATURES_OK if self.device_status == (ACKNOWLEDGE | DRIVER) => {
-                self.device_status = status;
+
+            // If the backend device driver doesn't support reset,
+            // just leave the device marked as FAILED.
+            if self.device_status & FAILED == 0 {
+                self.reset();
             }
-            DRIVER_OK if self.device_status == (ACKNOWLEDGE | DRIVER | FEATURES_OK) => {
-                self.device_status = status;
+        } else if VALID_TRANSITIONS
+            .iter()
+            .any(|&(from, to)| self.device_status == from && status == to)
+        {
+            self.device_status = status;
+
+            // Activate the device when transitioning to DRIVER_OK.
+            if status == (ACKNOWLEDGE | DRIVER | FEATURES_OK | DRIVER_OK) {
                 let device_activated = self.locked_device().is_activated();
                 if !device_activated && self.are_queues_valid() {
                     self.locked_device()
                         .activate(self.mem.clone())
                         .expect("Failed to activate device");
                 }
             }
-            _ if (status & FAILED) != 0 => {
-                // TODO: notify backend driver to stop the device
-                self.device_status |= FAILED;
-            }
-            _ if status == 0 => {
-                if self.locked_device().is_activated() {
-                    let mut device_status = self.device_status;
-                    let reset_result = self.locked_device().reset();
-                    match reset_result {
-                        Some((_interrupt_evt, mut _queue_evts)) => {}
-                        None => {
-                            device_status |= FAILED;
-                        }
-                    }
-                    self.device_status = device_status;
-                }
-
-                // If the backend device driver doesn't support reset,
-                // just leave the device marked as FAILED.
-                if self.device_status & FAILED == 0 {
-                    self.reset();
-                }
-            }
-            _ => {
-                warn!(
-                    "invalid virtio driver status transition: 0x{:x} -> 0x{:x}",
-                    self.device_status, status
-                );
-            }
+        } else {
+            warn!(
+                "invalid virtio driver status transition: {:#x} -> {:#x}",
+                self.device_status, status
+            );
         }
     }
 }
