Back to bug 2120631

Who	When	What	Removed	Added
Mauro Matteo Cascella	2022-08-23 12:47:17 UTC	CC		ddepaula, eglynn, jen, jferlan, jjoyce, jmaloy, knoel, lhh, lkundrak, mburns, mgarciac, mkenneth, mrezanin, mst, spower, virt-maint
		Doc Text		A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
Mauro Matteo Cascella	2022-08-23 12:59:01 UTC	Depends On		2120641
Product Security DevOps Team	2022-09-02 17:33:02 UTC	Resolution	---	NOTABUG
		Status	NEW	CLOSED
		Last Closed		2022-09-02 17:33:02 UTC
Mauro Matteo Cascella	2022-09-13 15:48:37 UTC	Fixed In Version		qemu 7.2.0-rc0
RaTasha Tillery-Smith	2022-10-13 13:32:41 UTC	Doc Text	A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.	A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its MMIO address. This issue can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. This flaw allows a malicious guest to crash the QEMU process on the host, resulting in a denial of service condition.

Back to bug 2120631