CVE-2021-3750: 
NixOS vulnerability analysis and mitigation

A DMA reentrancy issue was discovered in the USB EHCI controller emulation of QEMU, tracked as CVE-2021-3750. The vulnerability affects QEMU versions prior to 7.0.0. The issue occurs because EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when transferring USB packets (CVE Mitre, Debian Tracker).

The vulnerability stems from a DMA reentrancy issue where crafted content can be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can lead to a use-after-free condition in the EHCI controller emulation. The issue has been assigned a CVSS score of 8.2 (HIGH) with the vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (NetApp Advisory).

A malicious guest could exploit this vulnerability to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. However, when QEMU is used with libvirt, which provides isolation mechanisms including SELinux and sVirt protection, the potential impact is limited (Red Hat Bugzilla).

The vulnerability was fixed in QEMU version 7.0.0 and later. The fix addresses the entire class of DMA MMIO reentrancy issues through a comprehensive patch set. For systems that cannot immediately upgrade, it is recommended to use QEMU through libvirt, which provides additional security isolation mechanisms (Red Hat Bugzilla).

The vulnerability was treated as part of a broader effort to address DMA MMIO reentrancy issues in QEMU, leading to the creation of a tracking issue for similar vulnerabilities. Multiple vendors including Red Hat, Debian, and NetApp have acknowledged and addressed the vulnerability in their products (QEMU Issue).