fix(balloon): bound stats descriptor length

libre-man · libre-man · commit e85598eed571 · 2026-05-01T10:27:30.000+02:00
A malicious guest could submit a stats descriptor with an arbitrarily large length field, causing the VMM event loop to spin for billions of iterations and become unresponsive. Reject descriptors exceeding MAX_STATS_DESC_LEN (256 * sizeof(BalloonStat)). Cherry-pick of upstream commit 1689689 (PR firecracker-microvm#5794), with two minor adaptations for v1.6.5: - drop the unrelated CHANGELOG hunk; - drop the second 'interrupt' argument from balloon.activate() in the new test (added in upstream's later refactor) and also import the warn! macro which is not yet pulled in by this module. (cherry picked from commit 1689689f0a31f9b1107c01ae9c6ed5b6f110050e)
diff --git a/src/vmm/src/devices/virtio/balloon/device.rs b/src/vmm/src/devices/virtio/balloon/device.rs
@@ -7,7 +7,7 @@ use std::sync::Arc;
 use std::time::Duration;
 use std::{cmp, fmt};
 
-use log::error;
+use log::{error, warn};
 use serde::Serialize;
 use timerfd::{ClockId, SetTimeFlags, TimerFd, TimerState};
 use utils::eventfd::EventFd;
@@ -35,6 +35,16 @@ use crate::vstate::memory::{Address, ByteValued, Bytes, GuestAddress, GuestMemor
 
 const SIZE_OF_U32: usize = std::mem::size_of::<u32>();
 const SIZE_OF_STAT: usize = std::mem::size_of::<BalloonStat>();
+/// Upper bound on the number of stats tags a guest may report.
+/// The VirtIO spec currently defines 16, but newer kernel versions can
+/// add more (e.g. Linux 6.12 added several, see 74c025c5d7e4). We use a
+/// generous limit that still bounds computation without breaking on future
+/// kernels.
+const MAX_STATS_TAGS: u32 = 256;
+/// Maximum valid stats descriptor length in bytes.
+/// Descriptors exceeding this are rejected to prevent unbounded iteration.
+#[allow(clippy::cast_possible_truncation)]
+const MAX_STATS_DESC_LEN: u32 = MAX_STATS_TAGS * std::mem::size_of::<BalloonStat>() as u32;
 
 fn mib_to_pages(amount_mib: u32) -> Result<u32, BalloonError> {
     amount_mib
@@ -410,6 +420,21 @@ impl Balloon {
                     .add_used(mem, prev_stats_desc, 0)
                     .map_err(BalloonError::Queue)?;
             }
+
+            // Reject oversized descriptors to prevent a guest from causing
+            // excessive iteration on the VMM event loop.
+            // We still hold onto the descriptor (via stats_desc_index below)
+            // so that the stats request/response protocol is preserved and
+            // trigger_stats_update can return it to the guest later.
+            if head.len > MAX_STATS_DESC_LEN {
+                warn!(
+                    "balloon: stats descriptor too large: {} > {}, skipping",
+                    head.len, MAX_STATS_DESC_LEN
+                );
+                self.stats_desc_index = Some(head.index);
+                continue;
+            }
+
             for index in (0..head.len).step_by(SIZE_OF_STAT) {
                 // Read the address at position `index`. The only case
                 // in which this fails is if there is overflow,
@@ -1162,4 +1187,71 @@ pub(crate) mod tests {
         assert_eq!(balloon.num_pages(), 0x1122_3344);
         assert_eq!(balloon.actual_pages(), 0x1234_5678);
     }
+
+    /// Test that process_stats_queue holds oversized descriptors without
+    /// updating stats, and updates stats for valid-length ones.
+    #[test]
+    fn test_stats_queue_oversized_descriptor_rejected() {
+        struct TestCase {
+            desc_len: u32,
+            stats_updated: bool,
+        }
+
+        let cases = [
+            TestCase {
+                desc_len: MAX_STATS_DESC_LEN + 1,
+                stats_updated: false,
+            },
+            TestCase {
+                desc_len: MAX_STATS_DESC_LEN,
+                stats_updated: true,
+            },
+        ];
+
+        let stat_addr: u64 = 0x1000;
+
+        for tc in &cases {
+            let mut balloon = Balloon::new(0, true, 1, false, false).unwrap();
+            let mem = default_mem();
+            let statsq = VirtQueue::new(GuestAddress(0), &mem, 16);
+            balloon.set_queue(INFLATE_INDEX, statsq.create_queue());
+            balloon.set_queue(DEFLATE_INDEX, statsq.create_queue());
+            balloon.set_queue(STATS_INDEX, statsq.create_queue());
+            balloon.activate(mem.clone()).unwrap();
+
+            // Fill the descriptor region with a recognisable stat value.
+            let n_stats = tc.desc_len as usize / SIZE_OF_STAT;
+            for i in 0..n_stats {
+                mem.write_obj::<BalloonStat>(
+                    BalloonStat {
+                        tag: VIRTIO_BALLOON_S_MEMFREE,
+                        val: 0xBEEF,
+                    },
+                    GuestAddress(stat_addr + (i * SIZE_OF_STAT) as u64),
+                )
+                .unwrap();
+            }
+
+            set_request(&statsq, 0, stat_addr, tc.desc_len, VIRTQ_DESC_F_NEXT);
+            balloon.queue_events()[STATS_INDEX].write(1).unwrap();
+            balloon.process_stats_queue_event().unwrap();
+
+            // The descriptor should always be held (stats protocol preserved)
+            // regardless of whether the stats were updated.
+            assert!(
+                balloon.stats_desc_index.is_some(),
+                "desc_len={}: descriptor should be held",
+                tc.desc_len,
+            );
+
+            // Verify stats were only updated for valid descriptors.
+            assert_eq!(
+                balloon.latest_stats.free_memory.is_some(),
+                tc.stats_updated,
+                "desc_len={}: expected stats_updated={}",
+                tc.desc_len,
+                tc.stats_updated,
+            );
+        }
+    }
 }
