<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: P J P <ppandit () redhat com>
Date: Mon, 24 Aug 2020 18:22:05 +0530 (IST)
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello,
An out-of-bounds read/write access issue was found in the USB emulator of the
QEMU. It occurs while processing USB packets from a guest, when
'USBDevice->setup_len' exceeds the USBDevice->data_buf[4096], in
do_token_{in,out} routines.
A guest user may use this flaw to crash the QEMU process resulting in DoS OR
potentially execute arbitrary code with the privileges of the QEMU process on
the host.
* Attached herein is an upstream patch from Gerd Hoffmann(CC'd) to fix this
issue.
* 'CVE-2020-14364' is assigned to this issue by Red Hat Inc.
* This issue was independently reported by Ziming Zhang, Gonglei Arei and
Yanyu Zhang(CC'd).
Gonglei and Yanyu mentioned that the issue was found by Xiao Wei(CC'd).
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8DAttachment:
0001-usb-fix-setup-len-init.patch
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets P J P (Aug 24)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->