CVE-2021-3748: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the virtio-net device of QEMU (CVE-2021-3748). The vulnerability occurs when the descriptor's address belongs to the non-direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. This vulnerability was discovered in August 2021 and affects QEMU versions prior to 6.2.0 (Ubuntu Security, NetApp Advisory).

The vulnerability exists in the virtio_net_receive_rcu function within hw/net/virtio-net.c. The issue arises when mergeable buffer is enabled, and the system attempts to set the num_buffers after the virtqueue elem has been unmapped. This specifically occurs when dealing with bounce buffers that are allocated during address_space_map() and freed during address_space_unmap(). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (Ubuntu Security).

The successful exploitation of this vulnerability could allow a malicious guest to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. This could lead to disclosure of sensitive information, addition or modification of data, or system unavailability (CVE Mitre, NetApp Advisory).

The vulnerability has been fixed in QEMU version 6.2.0 and later. The fix involves storing the elems temporarily in an array and delaying the unmap operation until after setting the num_buffers. The patch was committed by Jason Wang and is available in the upstream repository (QEMU Patch). Various Linux distributions have also released security updates to address this vulnerability (Gentoo Security).