Back to bug 2120631
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Mauro Matteo Cascella | 2022-08-23 12:47:17 UTC | CC | ddepaula, eglynn, jen, jferlan, jjoyce, jmaloy, knoel, lhh, lkundrak, mburns, mgarciac, mkenneth, mrezanin, mst, spower, virt-maint | |
| Doc Text | A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. | |||
| Mauro Matteo Cascella | 2022-08-23 12:59:01 UTC | Depends On | 2120641 | |
| Product Security DevOps Team | 2022-09-02 17:33:02 UTC | Resolution | --- | NOTABUG |
| Status | NEW | CLOSED | ||
| Last Closed | 2022-09-02 17:33:02 UTC | |||
| Mauro Matteo Cascella | 2022-09-13 15:48:37 UTC | Fixed In Version | qemu 7.2.0-rc0 | |
| RaTasha Tillery-Smith | 2022-10-13 13:32:41 UTC | Doc Text | A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. | A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its MMIO address. This issue can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. This flaw allows a malicious guest to crash the QEMU process on the host, resulting in a denial of service condition. |
Back to bug 2120631