CVE-2023-50711: 
Rust vulnerability analysis and mitigation

CVE-2023-50711 affects vmm-sys-util, a collection of modules providing helpers and utilities used by multiple rust-vmm components. The vulnerability was discovered in versions from 0.5.0 to versions prior to 0.12.0, specifically in the FamStructWrapper::deserialize implementation. The issue involves the deserialization process not checking whether the length stored in the header matches the flexible array length, potentially leading to out-of-bounds memory access through Rust-safe methods (GitHub Advisory, NVD).

The vulnerability stems from a flaw in the deserialization process where the implementation fails to verify that the length stored in the header matches the flexible array length. When deserializing a FamStructWrapper, the system reconstructs the header from the saved state and then reconstructs the flexible array part separately. The safety of FamStructWrapper methods accessing the underlying memory depends on the header length accurately reflecting the memory size of the flexible array. If the saved state is malformed and the header length implies a flexible array buffer larger than the allocated memory, it can lead to out-of-bounds memory access (GitHub Patch).

The vulnerability allows potential out-of-bounds memory access through Rust-safe methods. This could lead to memory corruption or unauthorized access to memory regions. The CVSS v3.1 base score varies between assessments, with NVD rating it as 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and GitHub rating it as 5.7 MEDIUM (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L) (NVD).

The vulnerability was patched in version 0.12.0. The fix includes adding a check that verifies the lengths of compared flexible arrays are equal for any deserialized header and aborting deserialization if they don't match. Additionally, the API was modified so that header length can only be modified through Rust-unsafe code, ensuring users cannot trigger out-of-bounds memory access from Rust-safe code (GitHub Advisory).

The vulnerability has led to security updates in various distributions, including Fedora 38 and 39, which have updated their rust-vmm components and their consumers to address the vulnerability (Fedora Update).