Bug 1869201 (CVE-2020-14364) - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets [NEEDINFO]
Summary: CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14364
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1869697 1869698 1871849 1869684 1869686 1869687 1869688 1869689 1869690 1869691 1869692 1869693 1869694 1869695 1869696 1869699 1869700 1869701 1869703 1869704 1869705 1869706 1869707 1869708 1869709 1869710 1869711 1869712 1869713 1869714 1869715 1869716 1869718 1871850 1873313 1877667 1878008 1878044 1878045 1878684
Blocks: 1868610
TreeView+ depends on / blocked
 
Reported: 2020-08-17 09:33 UTC by Prasad J Pandit
Modified: 2020-10-20 09:28 UTC (History)
58 users (show)

Fixed In Version: QEMU-5.2.0
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
Clone Of:
Environment:
Last Closed: 2020-09-29 08:40:52 UTC
jmaloy: needinfo-
yjog: needinfo? (jinjli)
yjog: needinfo? (cchen)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4047 None None None 2020-09-29 08:46:18 UTC
Red Hat Product Errata RHSA-2020:4048 None None None 2020-09-29 08:26:40 UTC
Red Hat Product Errata RHSA-2020:4049 None None None 2020-09-29 08:37:14 UTC
Red Hat Product Errata RHSA-2020:4050 None None None 2020-09-29 08:42:47 UTC
Red Hat Product Errata RHSA-2020:4051 None None None 2020-09-29 08:43:29 UTC
Red Hat Product Errata RHSA-2020:4052 None None None 2020-09-29 15:22:02 UTC
Red Hat Product Errata RHSA-2020:4053 None None None 2020-09-29 15:28:57 UTC
Red Hat Product Errata RHSA-2020:4054 None None None 2020-09-29 08:25:38 UTC
Red Hat Product Errata RHSA-2020:4055 None None None 2020-09-29 08:26:02 UTC
Red Hat Product Errata RHSA-2020:4056 None None None 2020-10-07 17:26:53 UTC
Red Hat Product Errata RHSA-2020:4058 None None None 2020-09-29 08:24:56 UTC
Red Hat Product Errata RHSA-2020:4059 None None None 2020-09-29 08:54:17 UTC
Red Hat Product Errata RHSA-2020:4078 None None None 2020-09-29 22:15:37 UTC
Red Hat Product Errata RHSA-2020:4079 None None None 2020-09-30 05:53:38 UTC
Red Hat Product Errata RHSA-2020:4111 None None None 2020-09-30 09:23:07 UTC
Red Hat Product Errata RHSA-2020:4115 None None None 2020-09-30 10:13:11 UTC
Red Hat Product Errata RHSA-2020:4162 None None None 2020-10-01 14:59:10 UTC
Red Hat Product Errata RHSA-2020:4167 None None None 2020-10-05 09:58:40 UTC
Red Hat Product Errata RHSA-2020:4172 None None None 2020-10-05 13:09:42 UTC
Red Hat Product Errata RHSA-2020:4176 None None None 2020-10-05 20:43:52 UTC
Red Hat Product Errata RHSA-2020:4290 None None None 2020-10-20 09:28:58 UTC
Red Hat Product Errata RHSA-2020:4291 None None None 2020-10-20 09:25:27 UTC

Description Prasad J Pandit 2020-08-17 09:33:31 UTC
An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when USBDevice 'setup_len' exceeds the 'data_buf[4096]' in do_token_in, do_token_out routines.

A guest user may use this flaw to crash the QEMU process resulting in DoS OR potentially execute arbitrary code with the privileges of the QEMU process on the host.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2020-08/msg05969.html

Comment 2 Prasad J Pandit 2020-08-18 10:56:44 UTC
Acknowledgments:

Name: Xiao Wei (360.com), Ziming Zhang

Comment 8 Prasad J Pandit 2020-08-24 12:55:19 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1871849]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1871850]

Comment 9 Prasad J Pandit 2020-08-24 13:03:48 UTC
Mitigation:

Using Libvirt management interface to manage guest VMs significantly reduces impact of this issue. Libvirt starts each guest process with an unprivileged system user(ex. qemu) privileges and further confines the process with strict sVirt and SELinux policies.

* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_security_guide/

Comment 13 Nick Tait 2020-08-27 19:55:45 UTC
Statement:

This issue affects the version of the qemu-kvm package as shipped with the Red Hat Enterprise Linux  6, 7 and 8. Future qemu-kvm package updates for Red Hat Enterprise Linux 6, 7 and 8 may
address this issue.

Red Hat Enterprise Linux 5 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in its future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Red Hat OpenStack Platform 15 and newer consume fixes directly from the Red Hat Enterprise Linux 8 Advanced Virtualization repository.

Comment 82 errata-xmlrpc 2020-09-29 08:24:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:4058 https://access.redhat.com/errata/RHSA-2020:4058

Comment 83 errata-xmlrpc 2020-09-29 08:25:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2020:4054 https://access.redhat.com/errata/RHSA-2020:4054

Comment 84 errata-xmlrpc 2020-09-29 08:25:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2020:4055 https://access.redhat.com/errata/RHSA-2020:4055

Comment 85 errata-xmlrpc 2020-09-29 08:26:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:4048 https://access.redhat.com/errata/RHSA-2020:4048

Comment 86 errata-xmlrpc 2020-09-29 08:37:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:4049 https://access.redhat.com/errata/RHSA-2020:4049

Comment 87 Product Security DevOps Team 2020-09-29 08:40:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14364

Comment 88 errata-xmlrpc 2020-09-29 08:42:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:4050 https://access.redhat.com/errata/RHSA-2020:4050

Comment 89 errata-xmlrpc 2020-09-29 08:43:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:4051 https://access.redhat.com/errata/RHSA-2020:4051

Comment 90 errata-xmlrpc 2020-09-29 08:45:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:4047 https://access.redhat.com/errata/RHSA-2020:4047

Comment 91 errata-xmlrpc 2020-09-29 08:54:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4059 https://access.redhat.com/errata/RHSA-2020:4059

Comment 92 errata-xmlrpc 2020-09-29 15:22:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:4052 https://access.redhat.com/errata/RHSA-2020:4052

Comment 93 errata-xmlrpc 2020-09-29 15:28:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:4053 https://access.redhat.com/errata/RHSA-2020:4053

Comment 94 errata-xmlrpc 2020-09-29 22:15:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4078 https://access.redhat.com/errata/RHSA-2020:4078

Comment 95 errata-xmlrpc 2020-09-30 05:53:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4079 https://access.redhat.com/errata/RHSA-2020:4079

Comment 96 errata-xmlrpc 2020-09-30 09:18:48 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2020:4111 https://access.redhat.com/errata/RHSA-2020:4111

Comment 97 errata-xmlrpc 2020-09-30 09:21:29 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2020:4111 https://access.redhat.com/errata/RHSA-2020:4111

Comment 98 errata-xmlrpc 2020-09-30 09:22:59 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2020:4111 https://access.redhat.com/errata/RHSA-2020:4111

Comment 99 errata-xmlrpc 2020-09-30 10:12:59 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2020:4115 https://access.redhat.com/errata/RHSA-2020:4115

Comment 108 errata-xmlrpc 2020-10-01 14:59:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:4162 https://access.redhat.com/errata/RHSA-2020:4162

Comment 113 errata-xmlrpc 2020-10-05 09:58:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:4167 https://access.redhat.com/errata/RHSA-2020:4167

Comment 114 errata-xmlrpc 2020-10-05 13:09:37 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2020:4172 https://access.redhat.com/errata/RHSA-2020:4172

Comment 115 errata-xmlrpc 2020-10-05 20:43:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2020:4176 https://access.redhat.com/errata/RHSA-2020:4176

Comment 116 errata-xmlrpc 2020-10-07 17:26:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:4056 https://access.redhat.com/errata/RHSA-2020:4056

Comment 117 errata-xmlrpc 2020-10-20 09:25:18 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2020:4291 https://access.redhat.com/errata/RHSA-2020:4291

Comment 118 errata-xmlrpc 2020-10-20 09:28:51 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.1.1

Via RHSA-2020:4290 https://access.redhat.com/errata/RHSA-2020:4290


Note You need to log in before you can comment on or make changes to this bug.