Bug 1879652 (CVE-2020-25084) - CVE-2020-25084 QEMU: usb: use-after-free issue while setting up packet
Summary: CVE-2020-25084 QEMU: usb: use-after-free issue while setting up packet
Keywords:
Status: NEW
Alias: CVE-2020-25084
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1910679 1879653 1879654 1879656 1879657 1879658 1879659 1879660 1879661 1879662 1879663
Blocks: 1850259
TreeView+ depends on / blocked
 
Reported: 2020-09-16 18:01 UTC by Prasad J Pandit
Modified: 2021-06-22 00:30 UTC (History)
33 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the USB(xHCI/eHCI) controller emulators of QEMU. This flaw occurs while setting up the USB packet as a usb_packet_map() routine and returns an error that was not checked. This flaw allows a guest user or process to crash the QEMU process, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Prasad J Pandit 2020-09-16 18:01:17 UTC
An use-after-free issue was found in USB(xHCI/eHCI) controller emulators of QEMU. It occurs while setting up USB packet, as usb_packet_map() routine may return an error, which was not checked. A guest user/process may use this flaw to crash the QEMU process resulting in DoS scenario.

Upstream patches:
-----------------
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg08050.html
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg08043.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/09/16/5

Comment 1 Prasad J Pandit 2020-09-16 18:01:28 UTC
Acknowledgments:

Name: Sergej Schumilo (Ruhr-University Bochum), Cornelius Aschermann (Ruhr-University Bochum), Simon Wrner (Ruhr-University Bochum)

Comment 2 Prasad J Pandit 2020-09-16 18:01:32 UTC
External References:

https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fxhci_uaf_2

Comment 3 Prasad J Pandit 2020-09-16 18:02:06 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1879653]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1879654]

Comment 6 Nick Tait 2021-03-02 20:15:23 UTC
Statement:

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP qemu-kvm-rhev package.


Note You need to log in before you can comment on or make changes to this bug.