Vigil@nce - QEMU: NULL pointer dereference via NDIS Control Message
March 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker in a guest system can force a NULL pointer to be
dereferenced with a NDIS Control Message sent via USB to QEMU, in
order to trigger a denial of service on the host system.
Impacted products: QEMU.
Severity: 1/4.
Creation date: 16/02/2016.
DESCRIPTION OF THE VULNERABILITY
The QEMU product implements NDIS (Network Driver Interface
Specification).
However, if an USB device sends a RNDIS (Remote NDIS) message with
an empty configuration, the is_rndis() function of the
hw/usb/dev-network.c file of QEMU does not check if a pointer is
NULL, before using it.
An attacker in a guest system can therefore force a NULL pointer
to be dereferenced with a NDIS Control Message sent via USB to
QEMU, in order to trigger a denial of service on the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/QEMU-NULL-pointer-dereference-via-NDIS-Control-Message-18962