| Description |
OSS-Fuzz found a use-after-free vulnerability in virtio-net. It occurs in the iov_from_buf_full function under these conditions:
1) the (malicious) driver tries to add a non direct memory region as the buffer address
2) then memory core needs to use the bounce buffer
3) virtio-net tries to set the num_buffers *after* the iov is unmapped (bounce buffer is freed)
A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. |