Source: secalert@redhat.com
Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend.
QEMU, a widely used virtualization software, is vulnerable to a memory leak that can lead to a denial-of-service (DoS) condition. A malicious guest operating system can exploit a flaw in the 9pfs file system implementation to exhaust the host's memory, potentially causing the QEMU process to crash and disrupting virtual machine operations.
Step 1: Guest OS Interaction: A privileged user within a guest operating system initiates file system operations using the 9pfs protocol. This interaction involves creating and using file handles. Step 2: Handle Creation: The 9pfs backend in QEMU creates file handles to manage the guest's file access requests. Step 3: Missing Cleanup: After the guest OS is done with the file handles, the QEMU code fails to release the memory associated with these handles. This is the core of the memory leak. Step 4: Memory Exhaustion: Repeated file system operations by the guest OS, without proper handle cleanup, lead to a continuous allocation of memory on the host. This memory is never freed. Step 5: Denial of Service: Eventually, the host's memory is exhausted, leading to a DoS condition. The QEMU process may crash, or the host system may become unresponsive due to the lack of available memory.
The vulnerability resides in the hw/9pfs/9p-handle.c file within QEMU's 9pfs (Plan 9 file system) implementation. Specifically, the code lacks proper cleanup operations for handles created within the 9pfs backend. When a guest OS interacts with the 9pfs file system, handles are created to manage file access. Due to the missing cleanup, these handles are not released after use, leading to a gradual accumulation of allocated memory on the host. This memory leak eventually consumes all available host memory, resulting in a DoS condition. The root cause is a failure to free allocated memory associated with file handles, specifically in the context of the 9pfs backend's interaction with the guest OS. This is not a buffer overflow or a race condition, but a simple memory management error.
While no specific APT groups are definitively linked to active exploitation of this vulnerability, its ease of exploitation and potential for DoS make it attractive to various threat actors. The vulnerability is not listed on the CISA KEV catalog, but it's a potential risk for any environment using vulnerable QEMU versions.
Monitor host memory usage for unusual spikes or continuous growth, especially when guest VMs are actively using the 9pfs file system.
Analyze QEMU process memory consumption using tools like top, ps, or perf to identify memory leaks.
Examine QEMU logs for errors or warnings related to memory allocation or file system operations.
Network traffic analysis: Look for excessive 9pfs protocol traffic between the guest and host, especially file operations.
Monitor for QEMU process crashes or unexpected restarts.
Upgrade QEMU to a patched version that addresses the memory leak. This is the primary and most effective remediation step.
If upgrading is not immediately possible, restrict the use of the 9pfs file system by untrusted guest OSes. Consider using alternative file sharing methods.
Implement host-level memory monitoring and alerting to detect and respond to excessive memory consumption.
Regularly review and audit QEMU configurations to minimize the attack surface.
Apply host-level resource limits (e.g., using cgroups) to the QEMU process to prevent it from consuming all available memory, mitigating the DoS impact.