blob: c5a7675c51569d31843f56ec697e3db9ab82e983 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
device: 0.858
vnc: 0.750
network: 0.682
graphic: 0.585
VMM: 0.527
i386: 0.475
semantic: 0.454
files: 0.398
PID: 0.351
register: 0.333
socket: 0.328
boot: 0.304
TCG: 0.303
ppc: 0.286
x86: 0.263
architecture: 0.260
risc-v: 0.249
virtual: 0.224
mistranslation: 0.213
arm: 0.211
hypervisor: 0.204
kernel: 0.168
permissions: 0.144
debug: 0.121
performance: 0.087
KVM: 0.076
user-level: 0.076
peripherals: 0.072
assembly: 0.051
nvme: DMA reentrancy issue leads to use-after-free (CVE-2021-3929)
Description of problem:
A DMA reentrancy issue was found in the NVM Express Controller (NVMe) emulation. Functions dma_buf_write() or dma_buf_read() in hw/nvme/ctrl.c:nvme_tx() can be called without checking if the destination region overlaps with device's MMIO. This is similar to CVE-2021-3750 (https://gitlab.com/qemu-project/qemu/-/issues/541) and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
This issue was reported by Qiuhao Li.
|