CVE-2016-9915

Step 1: Guest OS Access: A privileged user within the guest operating system gains access to the 9p filesystem. This typically involves mounting the 9p share. Step 2: File Handle Creation: The guest OS interacts with the 9p filesystem, such as opening a file. This action triggers the creation of a file handle within the QEMU process on the host. Step 3: Missing Cleanup Trigger: The guest OS closes the file or performs operations that should trigger the release of the file handle. However, due to the vulnerability, the cleanup operation is missing. Step 4: Memory Leak: The file handle's associated memory is not freed. This memory remains allocated on the host. Step 5: Repeated Exploitation: The guest OS repeatedly opens and closes files, or performs other 9p operations, creating and leaking more file handles. Step 6: Host Memory Exhaustion: The accumulated memory leaks eventually consume all available host memory. Step 7: Denial of Service: The host system experiences a denial-of-service condition, potentially crashing the QEMU process or making the host unresponsive.

The vulnerability lies within hw/9pfs/9p-handle.c in QEMU's 9p filesystem implementation. Specifically, the flaw stems from a missing cleanup operation in the handle backend. When a guest OS interacts with the 9p filesystem, file handles are created and managed. Due to the missing cleanup, these handles are not properly released after use. This results in a memory leak on the host system. Repeated interaction with the 9p filesystem, such as opening and closing files, leads to the accumulation of these unreleased handles. This eventually consumes all available host memory, causing a denial-of-service (DoS) condition. The lack of proper resource management allows a malicious guest to exhaust the host's memory, potentially leading to a QEMU process crash and VM downtime. The root cause is a failure to free allocated memory associated with file handles, resulting in a gradual but ultimately complete memory exhaustion.