1 files changed, 17 insertions, 0 deletions

diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/782.toml b/gitlab/issues/target_missing/host_missing/accel_missing/782.toml
new file mode 100644
index 00000000..920d214e
--- /dev/null
+++ b/gitlab/issues/target_missing/host_missing/accel_missing/782.toml
@@ -0,0 +1,17 @@
+id = 782
+title = "nvme: DMA reentrancy issue leads to use-after-free (CVE-2021-3929)"
+state = "closed"
+created_at = "2021-12-17T09:33:18.851Z"
+closed_at = "2022-03-18T18:59:49.094Z"
+labels = ["Fuzzer", "Security", "Storage"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/782"
+host-os = "n/a"
+host-arch = "n/a"
+qemu-version = "n/a"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """A DMA reentrancy issue was found in the NVM Express Controller (NVMe) emulation. Functions dma_buf_write() or dma_buf_read() in hw/nvme/ctrl.c:nvme_tx() can be called without checking if the destination region overlaps with device's MMIO. This is similar to CVE-2021-3750 (https://gitlab.com/qemu-project/qemu/-/issues/541) and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
+
+This issue was reported by Qiuhao Li."""
+reproduce = "n/a"
+additional = "n/a"