Bug 1869201 (CVE-2020-14364) - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets
Summary: CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14364
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1869684 1869686 1869687 1869688 1869689 1869690 1869691 1869692 1869693 1869694 1869695 1869696 1869697 1869698 1869699 1869700 1869701 1869703 1869704 1869705 1869706 1869707 1869708 1869709 1869710 1869711 1869712 1869713 1869714 1869715 1869716 1869718 1871849 1871850 1873313 1877667 1878008 1878044 1878045 1878684 1910680
Blocks: 1868610
TreeView+ depends on / blocked
 
Reported: 2020-08-17 09:33 UTC by Prasad Pandit
Modified: 2023-12-15 18:52 UTC (History)
57 users (show)

Fixed In Version: QEMU-5.2.0
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
Clone Of:
Environment:
Last Closed: 2020-09-29 08:40:52 UTC
Embargoed:
jmaloy: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4047 0 None None None 2020-09-29 08:46:18 UTC
Red Hat Product Errata RHSA-2020:4048 0 None None None 2020-09-29 08:26:40 UTC
Red Hat Product Errata RHSA-2020:4049 0 None None None 2020-09-29 08:37:14 UTC
Red Hat Product Errata RHSA-2020:4050 0 None None None 2020-09-29 08:42:47 UTC
Red Hat Product Errata RHSA-2020:4051 0 None None None 2020-09-29 08:43:29 UTC
Red Hat Product Errata RHSA-2020:4052 0 None None None 2020-09-29 15:22:02 UTC
Red Hat Product Errata RHSA-2020:4053 0 None None None 2020-09-29 15:28:57 UTC
Red Hat Product Errata RHSA-2020:4054 0 None None None 2020-09-29 08:25:38 UTC
Red Hat Product Errata RHSA-2020:4055 0 None None None 2020-09-29 08:26:02 UTC
Red Hat Product Errata RHSA-2020:4056 0 None None None 2020-10-07 17:26:53 UTC
Red Hat Product Errata RHSA-2020:4058 0 None None None 2020-09-29 08:24:56 UTC
Red Hat Product Errata RHSA-2020:4059 0 None None None 2020-09-29 08:54:17 UTC
Red Hat Product Errata RHSA-2020:4078 0 None None None 2020-09-29 22:15:37 UTC
Red Hat Product Errata RHSA-2020:4079 0 None None None 2020-09-30 05:53:38 UTC
Red Hat Product Errata RHSA-2020:4111 0 None None None 2020-09-30 09:23:07 UTC
Red Hat Product Errata RHSA-2020:4115 0 None None None 2020-09-30 10:13:11 UTC
Red Hat Product Errata RHSA-2020:4162 0 None None None 2020-10-01 14:59:10 UTC
Red Hat Product Errata RHSA-2020:4167 0 None None None 2020-10-05 09:58:40 UTC
Red Hat Product Errata RHSA-2020:4172 0 None None None 2020-10-05 13:09:42 UTC
Red Hat Product Errata RHSA-2020:4176 0 None None None 2020-10-05 20:43:52 UTC
Red Hat Product Errata RHSA-2020:4290 0 None None None 2020-10-20 09:28:58 UTC
Red Hat Product Errata RHSA-2020:4291 0 None None None 2020-10-20 09:25:27 UTC

Description Prasad Pandit 2020-08-17 09:33:31 UTC 
An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when USBDevice 'setup_len' exceeds the 'data_buf[4096]' in do_token_in, do_token_out routines.

A guest user may use this flaw to crash the QEMU process resulting in DoS OR potentially execute arbitrary code with the privileges of the QEMU process on the host.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2020-08/msg05969.html
Comment 2 Prasad Pandit 2020-08-18 10:56:44 UTC 
Acknowledgments:

Name: Xiao Wei (360.com), Ziming Zhang
Comment 7 Prasad Pandit 2020-08-24 12:54:23 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/08/24/3
https://www.openwall.com/lists/oss-security/2020/08/24/2
Comment 8 Prasad Pandit 2020-08-24 12:55:19 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1871849]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1871850]
Comment 9 Prasad Pandit 2020-08-24 13:03:48 UTC 
Mitigation:

Using Libvirt management interface to manage guest VMs significantly reduces impact of this issue. Libvirt starts each guest process with an unprivileged system user(ex. qemu) privileges and further confines the process with strict sVirt and SELinux policies.

* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_security_guide/
Comment 13 Nick Tait 2020-08-27 19:55:45 UTC 
Statement:

This issue affects the version of the qemu-kvm package as shipped with the Red Hat Enterprise Linux  6, 7 and 8. Future qemu-kvm package updates for Red Hat Enterprise Linux 6, 7 and 8 may
address this issue.

Red Hat Enterprise Linux 5 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in its future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Red Hat OpenStack Platform 15 and newer consume fixes directly from the Red Hat Enterprise Linux 8 Advanced Virtualization repository.
Comment 82 errata-xmlrpc 2020-09-29 08:24:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:4058 https://access.redhat.com/errata/RHSA-2020:4058
Comment 83 errata-xmlrpc 2020-09-29 08:25:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2020:4054 https://access.redhat.com/errata/RHSA-2020:4054
Comment 84 errata-xmlrpc 2020-09-29 08:25:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2020:4055 https://access.redhat.com/errata/RHSA-2020:4055
Comment 85 errata-xmlrpc 2020-09-29 08:26:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:4048 https://access.redhat.com/errata/RHSA-2020:4048
Comment 86 errata-xmlrpc 2020-09-29 08:37:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:4049 https://access.redhat.com/errata/RHSA-2020:4049
Comment 87 Product Security DevOps Team 2020-09-29 08:40:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14364
Comment 88 errata-xmlrpc 2020-09-29 08:42:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:4050 https://access.redhat.com/errata/RHSA-2020:4050
Comment 89 errata-xmlrpc 2020-09-29 08:43:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:4051 https://access.redhat.com/errata/RHSA-2020:4051
Comment 90 errata-xmlrpc 2020-09-29 08:45:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:4047 https://access.redhat.com/errata/RHSA-2020:4047
Comment 91 errata-xmlrpc 2020-09-29 08:54:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4059 https://access.redhat.com/errata/RHSA-2020:4059
Comment 92 errata-xmlrpc 2020-09-29 15:22:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:4052 https://access.redhat.com/errata/RHSA-2020:4052
Comment 93 errata-xmlrpc 2020-09-29 15:28:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:4053 https://access.redhat.com/errata/RHSA-2020:4053
Comment 94 errata-xmlrpc 2020-09-29 22:15:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4078 https://access.redhat.com/errata/RHSA-2020:4078
Comment 95 errata-xmlrpc 2020-09-30 05:53:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4079 https://access.redhat.com/errata/RHSA-2020:4079
Comment 96 errata-xmlrpc 2020-09-30 09:18:48 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2020:4111 https://access.redhat.com/errata/RHSA-2020:4111
Comment 97 errata-xmlrpc 2020-09-30 09:21:29 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2020:4111 https://access.redhat.com/errata/RHSA-2020:4111
Comment 98 errata-xmlrpc 2020-09-30 09:22:59 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2020:4111 https://access.redhat.com/errata/RHSA-2020:4111
Comment 99 errata-xmlrpc 2020-09-30 10:12:59 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2020:4115 https://access.redhat.com/errata/RHSA-2020:4115
Comment 108 errata-xmlrpc 2020-10-01 14:59:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:4162 https://access.redhat.com/errata/RHSA-2020:4162
Comment 113 errata-xmlrpc 2020-10-05 09:58:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:4167 https://access.redhat.com/errata/RHSA-2020:4167
Comment 114 errata-xmlrpc 2020-10-05 13:09:37 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2020:4172 https://access.redhat.com/errata/RHSA-2020:4172
Comment 115 errata-xmlrpc 2020-10-05 20:43:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2020:4176 https://access.redhat.com/errata/RHSA-2020:4176
Comment 116 errata-xmlrpc 2020-10-07 17:26:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:4056 https://access.redhat.com/errata/RHSA-2020:4056
Comment 117 errata-xmlrpc 2020-10-20 09:25:18 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2020:4291 https://access.redhat.com/errata/RHSA-2020:4291
Comment 118 errata-xmlrpc 2020-10-20 09:28:51 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.1.1

Via RHSA-2020:4290 https://access.redhat.com/errata/RHSA-2020:4290
Comment 120 Red Hat Bugzilla 2023-09-15 00:46:26 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.