CVE-2020-10756: 
NixOS vulnerability analysis and mitigation

An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This vulnerability (CVE-2020-10756) was discovered by Ziming Zhang from Qi An Xin Group and VictorV from 360 Vulcan Team. The flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request (ping). This vulnerability affects versions of libslirp before 4.3.1 (ZDI Advisory, NVD).

The vulnerability exists in the icmp6_send_echoreply() function in ip6_icmp.c of libslirp. When processing an incoming ICMPv6 echo request, the function does not validate the IPv6 payload length (ip->ip_pl) which is then used as the size parameter for memcpy() to create the destination packet. This leads to an out-of-bounds read condition. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (Red Hat Bugzilla).

A malicious guest could exploit this vulnerability to leak the contents of the host memory, resulting in possible information disclosure. The flaw allows an attacker to trick memcpy() into copying more data than allowed, potentially exposing sensitive information from the host system (Red Hat Bugzilla, ZDI Advisory).

The vulnerability was fixed in libslirp version 4.3.1. The fix was implemented through a patch that properly validates the IPv6 payload length before performing the memory copy operation. Multiple Linux distributions have released security updates to address this vulnerability, including Ubuntu, Debian, and Red Hat (Ubuntu Security Notice, Debian Security Advisory).