Vigil@nce - QEMU: NULL pointer dereference via VMXNET3
September 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is administrator in a guest system, can force a
NULL pointer to be dereferenced via VMXNET3 of QEMU, in order to
trigger a denial of service on the host system.
Impacted products: QEMU.
Severity: 1/4.
Creation date: 19/08/2016.
DESCRIPTION OF THE VULNERABILITY
The QEMU product supports VMWARE VMXNET3 devices.
However, an integer overflow in the net_tx_pkt_init() function
leads to the usage of the memory at address zero.
An attacker, who is administrator in a guest system, can therefore
force a NULL pointer to be dereferenced via VMXNET3 of QEMU, in
order to trigger a denial of service on the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/QEMU-NULL-pointer-dereference-via-VMXNET3-20439