Vigil@nce - QEMU: NULL pointer dereference via vapic_write
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker in a guest system can force a NULL pointer to be
dereferenced in the vapic_write() function of QEMU, in order to
trigger a denial of service on the host system.
Impacted products: Fedora, QEMU.
Severity: 1/4.
Creation date: 18/01/2016.
DESCRIPTION OF THE VULNERABILITY
The QEMU product can be compiled with a TPR optimization for
Windows guest systems.
However, during a write operation on the HMP interface, the
vapic_write() function does not check if a pointer is NULL, before
using it.
An attacker in a guest system can therefore force a NULL pointer
to be dereferenced in the vapic_write() function of QEMU, in order
to trigger a denial of service on the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/QEMU-NULL-pointer-dereference-via-vapic-write-18738