osec-2019-01
Vulnerability from osv_ocaml
Background
MirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Virtual devices, such as a network device, share memory between MirageOS and the hypervisor. To maintain adequate performance, the virtual device managing network communication between MirageOS and the Xen hypervisor maintains a shared pool of pages and reuses them for write requests.
Problem Description
In version 1.10.0 of netchannel, the API for handling network requests changed to provide higher-level network code with an interface for writing into memory directly. As part of this change, code paths which exposed memory taken from the shared page pool did not ensure that previous data had been cleared from the buffer. This error resulted in memory which the user did not overwrite staying resident in the buffer, and potentially being sent as part of unrelated network communication.
The mirage-tcpip library, which provides interfaces for higher-level operations like IPv4 and TCP header writes, assumes that buffers into which it writes have been zeroed, and therefore may not explicitly write some fields which are always zero. As a result, some packets written with netchannel v1.10.0 which were passed to mirage-tcpip with nonzero data will have incorrect checksums calculated and will be discarded by the receiver.
Impact
This issue discloses memory intended for another recipient and corrupts packets. Only version 1.10.0 of netchannel is affected. Version 1.10.1 fixes this issue.
Version 1.10.0 was available for less than one month and many upstream users had not yet updated their own API calls to use it. In particular, no version of qubes-mirage-firewall or its dependency mirage-nat compatible with version 1.10.0 was released.
Solution
Transmitting corrupt data and disclosing memory is fixed in version 1.10.1.
{
"affected": [
{
"ecosystem_specific": {
"opam_constraint": "netchannel {\u003e= \"1.10.0\" \u0026 \u003c \"1.10.1\"}"
},
"package": {
"ecosystem": "opam",
"name": "netchannel",
"purl": "pkg:opam/netchannel"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.1"
}
],
"type": "ECOSYSTEM"
},
{
"events": [
{
"fixed": "bdfc658f139e39cdf1b8dada013b91df67a8e26a"
},
{
"introduced": "e4f8d9f65a7999ac259cea57395bf5fbf00773bb"
}
],
"repo": "https://github.com/mirage/mirage-net-xen",
"type": "GIT"
}
],
"versions": [
"1.10.0"
]
}
],
"credits": [
{
"name": "Mindy Preston",
"type": "REPORTER"
},
{
"name": "Mindy Preston",
"type": "REMEDIATION_DEVELOPER"
},
{
"name": "Thomas Leonard",
"type": "REMEDIATION_REVIEWER"
},
{
"name": "Hannes Mehnert",
"type": "REMEDIATION_REVIEWER"
}
],
"database_specific": {
"cwe": [
"CWE-908"
],
"human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2019/OSEC-2019-01.md",
"osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2019/OSEC-2019-01.json"
},
"details": "## Background\n\nMirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Virtual devices, such as a network device, share memory between MirageOS and the hypervisor. To maintain adequate performance, the virtual device managing network communication between MirageOS and the Xen hypervisor maintains a shared pool of pages and reuses them for write requests.\n\n## Problem Description\n\nIn version 1.10.0 of netchannel, the API for handling network requests changed to provide higher-level network code with an interface for writing into memory directly. As part of this change, code paths which exposed memory taken from the shared page pool did not ensure that previous data had been cleared from the buffer. This error resulted in memory which the user did not overwrite staying resident in the buffer, and potentially being sent as part of unrelated network communication.\n\nThe mirage-tcpip library, which provides interfaces for higher-level operations like IPv4 and TCP header writes, assumes that buffers into which it writes have been zeroed, and therefore may not explicitly write some fields which are always zero. As a result, some packets written with netchannel v1.10.0 which were passed to mirage-tcpip with nonzero data will have incorrect checksums calculated and will be discarded by the receiver.\n\n## Impact\n\nThis issue discloses memory intended for another recipient and corrupts packets. Only version 1.10.0 of netchannel is affected. Version 1.10.1 fixes this issue.\n\nVersion 1.10.0 was available for less than one month and many upstream users had not yet updated their own API calls to use it. In particular, no version of qubes-mirage-firewall or its dependency mirage-nat compatible with version 1.10.0 was released.\n\n## Solution\n\nTransmitting corrupt data and disclosing memory is fixed in version 1.10.1.",
"id": "OSEC-2019-01",
"modified": "2026-01-13T12:00:00Z",
"published": "2019-03-21T00:00:00Z",
"references": [
{
"type": "FIX",
"url": "https://github.com/mirage/mirage-net-xen/pull/83"
},
{
"type": "ADVISORY",
"url": "https://mirageos.org/blog/MSA01"
}
],
"schema_version": "1.7.4",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Memory disclosure in mirage-net-xen"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.