Vigil@nce - QEMU: assertion error via vmxnet3_io_bar0_read
January 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is privileged in a guest system, can generate an
assertion error in the vmxnet3_io_bar0_read() function of QEMU, in
order to trigger a denial of service on the host system.
Impacted products: Fedora, QEMU.
Severity: 1/4.
Creation date: 04/01/2016.
DESCRIPTION OF THE VULNERABILITY
The QEMU product implements the support of VMXNET Generation 3
network devices.
However, an attacker with CAP_SYS_RAWIO privileges can read the
IMR (Interrupt Mask Registers). However, an assertion error occurs
because developers did not except this case, which stops the
process.
An attacker, who is privileged in a guest system, can therefore
generate an assertion error in the vmxnet3_io_bar0_read() function
of QEMU, in order to trigger a denial of service on the host
system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/QEMU-assertion-error-via-vmxnet3-io-bar0-read-18631