Summary: VirtualBox's vmsvga3dSurfaceMipBufferSize function has an integer overflow vulnerability. An attacker can manipulate a malloc call to allocate 0 bytes while VirtualBox tracks the buffer size as greater than 0. This leads to linear read/write primitives that can escalate to arbitrary read/write access in the host's memory. A proof-of-concept shows how to fully escape a virtual machine.

• Severity: High
• Proof of Concept: Exploit the VMSVGAGBO and VMSVGAMOB objects. Trigger allocation of a buggy_surface with size 0. Allocate a GBO object with a specific cbTotal value. Use out-of-bounds reads and writes to achieve arbitrary read/write access. Can also achieve arbitrary heap allocation and break ASLR to gain RIP control and execute shellcode to escape the VM.

Further Analysis:

• Linear out-of-bounds read: By mapping and copying between surfaces with incorrect buffer size calculations, an attacker can read up to cbRow bytes from a buffer with size 0 and get the contents back using a READBACK_SUBRESOURCE command.
• Linear out-of-bounds write: A malicious guest can define a surface and use an UPDATE_SUBRESOURCE command to transfer an almost arbitrary number of bytes from guest memory into a buffer of size 0.

Timeline:

• Reported: 04/01/2025
• Fixed: 04/15/2025
• Disclosed: 05/15/2025