OSS-Fuzz found a use-after-free vulnerability in virtio-net. It occurs in the iov_from_buf_full function under these conditions: 1) the (malicious) driver tries to add a non direct memory region as the buffer address 2) then memory core needs to use the bounce buffer 3) virtio-net tries to set the num_buffers *after* the iov is unmapped (bounce buffer is freed) A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.
OSS-Fuzz found a use-after-free vulnerability in virtio-net. It occurs in the iov_from_buf_full function under these conditions: 1) the (malicious) driver tries to add a non direct memory region as the buffer address 2) then memory core needs to use the bounce buffer 3) virtio-net tries to set the num_buffers *after* the iov is unmapped (bounce buffer is freed) A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.
https://bugzilla.redhat.com/show_bug.cgi?id=1998514