Bug 2313497 (CVE-2024-8354)

Summary: CVE-2024-8354 qemu-kvm: usb: assertion failure in usb_ep_get()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, ddepaula, jen, jferlan, jmaloy, kkiwi, knoel, mrezanin, mst, nilal, pbonzini, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2313500    
Bug Blocks:    

Description OSIDB Bzimport 2024-09-19 09:19:33 UTC 
An assertion failure was found in QEMU in the usb_ep_get() function in hw/net/core.c. The TD PID needs to be either USB_TOKEN_IN or USB_TOKEN_OUT in usb_ep_get, but in the caller uhci_handle_td it may be USB_TOKEN_SETUP.

An unprivileged guest user may be able to reach the assertion. Users are not directly able to craft URBs, however as a user, one might be able to find a kernel path that would send a TD with PID USB_TOKEN_SETUP to QEMU (which is called USB_PID_SETUP in Linux). For instance in the Linux Kernel, uhci_submit_control in drivers/usb/host/uhci-q.c:789  does link a USB_PID_SETUP TD to the URB.

Upstream issue:
https://gitlab.com/qemu-project/qemu/-/issues/2548