{"id":"RUSTSEC-2024-0428","summary":"Undefined behaviour in `kvm_ioctls::ioctls::vm::VmFd::create_device`","details":"An issue was identified in the `VmFd::create_device function`, leading to undefined behavior and miscompilations on rustc 1.82.0 and newer due to the function's violation of Rust's pointer safety rules.\n\nThe function downcasted a mutable reference to its `struct kvm_create_device` argument to an immutable pointer, and then proceeded to pass this pointer to a mutating system call. Rustc 1.82.0 and newer elides subsequent reads of this structure's fields, meaning code will not see the value written by the kernel into the `fd` member. Instead, the code will observe the value that this field was initialized to prior to calling `VmFd::create_device` (usually, 0).\n\nThe issue started in kvm-ioctls 0.1.0 and was fixed in 0.19.1 by correctly using\na mutable pointer.","aliases":["GHSA-3qx8-rv27-j6gp"],"modified":"2025-10-28T06:29:22.787282Z","published":"2024-12-05T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/kvm-ioctls"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0428.html"},{"type":"WEB","url":"https://github.com/rust-vmm/kvm/pull/298"}],"affected":[{"package":{"name":"kvm-ioctls","ecosystem":"crates.io","purl":"pkg:cargo/kvm-ioctls"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.19.1"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":["linux"],"functions":["kvm_ioctls::ioctls::vm::VmFd::create_device"]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0428.json","informational":"unsound","cvss":null,"categories":[]}}],"schema_version":"1.7.3"}