Awesome
CVE-2022-31705
Intro
Example
- use 'lsusb' to determine the device id, use the device id to set 'qh->field4'
- vmx code will alloc a struct with 0x18 size (the size can be controlled in the code) buffer for reading guest physical memory.
- the total size of this struct will be 0x400
- address of this struct is 0x26d6caa80d0
- in the end, vmx will read 0x800 size (can be controlled in the code) of physical memory into 0x2606CAA84C0, which is the last 0x10 byte of 0x26d6caa80d0 (first 0x8 is already readed at the alloc stage)
- for sure, it will cause a OOB write.