An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert.
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
| Link | Tags |
|---|---|
| https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg01651.html | mailing list third party advisory exploit |
| https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg00597.html | third party advisory |
| https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg02165.html | patch mailing list third party advisory |
| https://www.mail-archive.com/qemu-devel%40nongnu.org/msg667396.html | |
| https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg03869.html | third party advisory mailing list |