Quick Emulator(Qemu) built with the USB xHCI controller emulation support is vulnerable to an infinite loop issue. It could occur while processing USB command ring in 'xhci_ring_fetch'. A privileged user/process inside guest could use this issue to crash the Qemu process on the host leading to DoS. Upstream patch -------------- -> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg01265.html
Acknowledgments: Name: Li Qiang (Qihoo 360)
Created attachment 1154206 [details] Backtrace report
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1382323]
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1382322]
I think this ended up as: commit 05f43d44e4bc26611ce25fd7d726e483f73363ce Author: Gerd Hoffmann <kraxel> Date: Mon Oct 10 12:46:22 2016 +0200 xhci: limit the number of link trbs we are willing to process
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Red Hat OpenStack Platform 11.0 (Ocata) Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Red Hat OpenStack Platform 8.0 (Liberty) Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2017:2408 https://access.redhat.com/errata/RHSA-2017:2408
This issue has been addressed in the following products: RHEV 4.X RHEV-H and Agents for RHEL-7 Via RHSA-2017:2392 https://access.redhat.com/errata/RHSA-2017:2392