tl;dr

• The patch adds a vulnerable virtio device
• The device accesses pointers without bound check
• Abuse OOB pointer access to setup arb r/w primitive
• Craft open,read,write ropchain on heap
• Overwrite virtqueue handler with stack pivoting gadget

tl;dr

This post will describe how I exploited CVE-2019-14378, which is a pointer miscalculation in network backend of QEMU. The bug is triggered when large IPv4 fragmented packets are reassembled for processing. It was found by code auditing.