CVE-2022-0175: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2022-0175) was discovered in the VirGL virtual OpenGL renderer (virglrenderer) where the system did not properly initialize memory when allocating a host-backed memory resource. This flaw was found in version 0.9.0 and affected various Linux distributions including Ubuntu, Debian, and Red Hat systems (NVD, Debian Tracker).

The vulnerability stems from a memory initialization issue in the vrendresourceallocbuffer() function. Specifically, virgl fails to initialize the memory pointed by the res->ptr when creating a resource. This memory can be mapped to the guest kernel when the VIRTIOGPUCMDRESOURCEATTACHBACKING command is issued (Red Hat Bugzilla).

The vulnerability could allow a malicious guest to mmap from the guest kernel and read uninitialized memory from the host, potentially leading to information disclosure. This poses a significant security risk as sensitive host information could be exposed to unauthorized parties (Debian Tracker, Ubuntu Security).

The vulnerability has been fixed in multiple distributions. Ubuntu users should update to libvirglrenderer1 version 0.8.2-5ubuntu0.21.10.1 for Ubuntu 21.10 or version 0.8.2-1ubuntu1.1 for Ubuntu 20.04. Gentoo users should upgrade to virglrenderer version 0.10.1 or later. After updating, all virtual machines need to be restarted to apply the necessary changes (Ubuntu Security, Gentoo Security).