A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HQemu
APPQemu4.2.0 – 7.1.0
Related vulnerabilities
The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and ear...
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attack...
The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows ...
In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer ...
qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers...