A heap overflow in QEMU can allow an authenticated network attacker to perform a VM escape
QEMU (,8.0.0], no fixed release
The fix for CVE-2021-4206 integer overflow was incomplete.
The ui/cursor.c
function cursor_alloc()
has a buffer size calculation before allocation:
size_t datasize = width * height * sizeof(uint32_t);
width
and height
are signed integers, but their product is cast to a size_t
(unsigned integer) type.
datasize
could then become 0 or a very small number by using very big negative numbers, which would also bypass the sanity check: if (width > 512 || height > 512)
.
This could potentially lead to heap buffer overflow. A malicious privileged guest user could exploit this flaw to crash the QEMU process or execute arbitrary code on the host in the context of the QEMU process.
No PoC is supplied for this issue
No vulnerability mitigations are supplied for this issue