Re: CVE request Qemu: virtio: null pointer dereference in virtqueu_map_desc

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Quick emulator(Qemu) built with the virtio framework is vulnerable to a null
> pointer dereference flaw. It could occur if the guest was to set the I/O
> descriptor buffer length to a large value.
>
> A privileged user inside guest could use this flaw to crash the Qemu instance
> on the host resulting in DoS.
>
> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03546.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1376755

> > virtio back end uses set of buffers to facilitate I/O operations.
> > If its size is too large, 'cpu_physical_memory_map' could return
> > a null address. This would result in a null dereference
> > while un-mapping descriptors. Add check to avoid it.

Use CVE-2016-7422.

This is not yet available at
http://git.qemu.org/?p=qemu.git;a=history;f=hw/virtio/virtio.c but
that may be an expected place for a later update.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX3CoJAAoJEHb/MwWLVhi22UAP/i8JPCu45VXEBOxfSHFq2RuT
TFTLRJoGrzZSJmk0xJQzLevXfM/u/dP7M4bXXdiGETuXDoytygrZvpQX4TjhRcJa
6B2gCLdlPpcH+m3BW9OzfR3mxMVwGwBMLpDIKo4lRMBkW4Sm9BT5druuJtnYqrpi
28FtGgLimIIjWykf+XOPCSA1/7jOURlpQWp3AXzdJ4bbPekMIbwGjWDpsbxQFnWt
UyutNxjJMXKegxNbgKmqtle6O63HewHzzmkMwFpq9VH6yA84kA3ckc+Kn5o88mAz
4GOVBazW2WLaouT0mcNTSuEzKMVJZTFeMo9LkdOP70ds9ChkMUm4RE55jTTvy1HF
0EE7q9z9dKnO0DWht7/KtBO4o7pPSiSvz3Amc56D4rUzww2w4SkBwwQp40Eyt9K0
SNLEL62COpHMbqz0O+lZV/04ZgTvxwO82ALOOGHKzgFXEVZtr3QImugNKBDFItkF
AzMP9005g6XoXKDNgMDJVz07cDiVU5/tOwTFaFe88CVJR6l9Ez6RSkMUbdloHZD0
LlsaUPUhVLvKCV+RzUF1MH8Z8i4kIfbSkhSu65VqGeN05dUV+ClmUTj0Q10OGXnm
UmsmrsdkTDRvye6giFtkXrnV6aPLNkY+SXIePG1IYChtR8XVrHH+3LNeFmkSUMJr
r6mhE1RiIJ8ZeEkzvS3K
=d+8E
-----END PGP SIGNATURE-----