id = 1171
title = "tulip: DMA reentrancy issue leads to stack overflow (CVE-2022-2962)"
state = "closed"
created_at = "2022-08-23T16:23:58.564Z"
closed_at = "2022-09-14T21:02:00.854Z"
labels = ["Networking", "Security"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/1171"
host-os = "n/a"
host-arch = "n/a"
qemu-version = "n/a"
guest-os = "n/a"
guest-arch = "n/a"
description = """A DMA reentrancy issue was found in the tulip emulation. When tulip reads or writes to  rx/tx descriptor ( tulip_desc_read/write ) or copies  rx/tx frame(tulip_copy_rx_bytes / tulip_copy_tx_buffers), it doesn't check whether the destination address is its own MMIO address. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host."""
reproduce = "n/a"
additional = "n/a"