Bug 1879808 (CVE-2020-25625)

Summary: CVE-2020-25625 QEMU: usb: hcd-ohci: infinite loop issue while processing transfer descriptors
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, berrange, cfergeau, drjones, imammedo, itamar, jen, jferlan, jforbes, jmaloy, knoel, m.a.young, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, robinlee.sysu, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: QEMU 5.1.1 Doc Type: ---
Doc Text:
An infinite loop flaw was found in the USB OHCI controller emulator of QEMU. This flaw occurs while servicing OHCI isochronous transfer descriptors (TD) in the ohci_service_iso_td routine, as it retires a TD if it has passed its time frame. It does not check if the TD was already processed and holds an error code in TD_CC. This issue may happen if the TD list has a loop. This flaw allows a guest user or process to consume CPU cycles on the host, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-15 12:06:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1879809, 1879810, 1910674    
Bug Blocks: 1867982    

Description Prasad Pandit 2020-09-17 05:32:01 UTC 
An infinite loop issue was found in the USB OHCI controller emulator of QEMU. It could occur while servicing OHCI isochronous transfer descriptors (TD) in ohci_service_iso_td routine, as it retires a TD if it has passed its time frame. While do so it does not check if the TD was already processed ones and holds an error code in TD_CC. It may happen if the TD list has a loop. A guest user/process may use this flaw to consume cpu cycles on the host resulting in DoS scenario.

Upstream patch:
---------------
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05905.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/09/17/1
Comment 1 Prasad Pandit 2020-09-17 05:32:39 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1879809]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1879810]