| + |
OSS-Fuzz found a use-after-free vulnerability in virtio-net. It occurs in the iov_from_buf_full function under these conditions: |
| + |
|
| + |
1) the (malicious) driver tries to add a non direct memory region as the buffer address |
| + |
2) then memory core needs to use the bounce buffer |
| + |
3) virtio-net tries to set the num_buffers *after* the iov is unmapped (bounce buffer is freed) |
| + |
|
| + |
A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. |