Bug 1879652 (CVE-2020-25084)

Summary: CVE-2020-25084 QEMU: usb: use-after-free issue while setting up packet
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, berrange, cfergeau, drjones, imammedo, itamar, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, robinlee.sysu, sclewis, slinaber, virt-maint, virt-maint, vkuznets, xen-maint, yduan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the USB(xHCI/eHCI) controller emulators of QEMU. This flaw occurs while setting up the USB packet as a usb_packet_map() routine and returns an error that was not checked. This flaw allows a guest user or process to crash the QEMU process, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-15 12:05:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1879653, 1879654, 1879656, 1879657, 1879658, 1879659, 1879660, 1879661, 1879662, 1879663, 1910679    
Bug Blocks: 1850259    

Description Prasad Pandit 2020-09-16 18:01:17 UTC 
An use-after-free issue was found in USB(xHCI/eHCI) controller emulators of QEMU. It occurs while setting up USB packet, as usb_packet_map() routine may return an error, which was not checked. A guest user/process may use this flaw to crash the QEMU process resulting in DoS scenario.

Upstream patches:
-----------------
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg08050.html
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg08043.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/09/16/5
Comment 1 Prasad Pandit 2020-09-16 18:01:28 UTC 
Acknowledgments:

Name: Sergej Schumilo (Ruhr-University Bochum), Cornelius Aschermann (Ruhr-University Bochum), Simon Wrner (Ruhr-University Bochum)
Comment 2 Prasad Pandit 2020-09-16 18:01:32 UTC 
External References:

https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fxhci_uaf_2
Comment 3 Prasad Pandit 2020-09-16 18:02:06 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1879653]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1879654]
Comment 6 Nick Tait 2021-03-02 20:15:23 UTC 
Statement:

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP qemu-kvm-rhev package.