CVE-2016-9916

Step 1: Guest OS Interaction: A privileged user within the guest operating system initiates a series of 9p protocol requests, specifically targeting the proxy backend. Step 2: Proxy Backend Processing: The 9p-proxy backend in QEMU receives and processes these requests. During processing, it allocates memory to manage the requests and responses. Step 3: Memory Allocation: The proxy backend allocates memory for each request, but fails to release it after the request is processed. Step 4: Memory Leak: The allocated memory is not freed, leading to a memory leak. Each subsequent request further exacerbates the leak. Step 5: Host Memory Exhaustion: Over time, the memory leak consumes the host's available memory. Step 6: Denial of Service: The host runs out of memory, potentially leading to a denial-of-service condition, including QEMU process crashes or system instability.

The vulnerability stems from a missing cleanup operation within the hw/9pfs/9p-proxy.c file of QEMU. Specifically, the proxy backend fails to properly release allocated memory when handling certain 9p protocol operations. This leads to a gradual accumulation of unreleased memory, resulting in a memory leak. The leak is triggered by specific interactions with the 9p filesystem, where the proxy backend allocates memory to manage requests and responses. Without proper deallocation, the host's memory is consumed over time, potentially leading to a system crash or denial of service. The root cause is a flawed implementation of memory management within the 9p-proxy component, specifically a failure to free allocated memory after it is no longer needed. This is not a buffer overflow or race condition, but a direct consequence of improper memory management practices.