Bug 2313497 (CVE-2024-8354) - CVE-2024-8354 qemu-kvm: usb: assertion failure in usb_ep_get()
Summary: CVE-2024-8354 qemu-kvm: usb: assertion failure in usb_ep_get()
Keywords:
Status: NEW
Alias: CVE-2024-8354
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2313500
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-19 09:19 UTC by OSIDB Bzimport
Modified: 2024-09-19 10:21 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-09-19 09:19:33 UTC 
An assertion failure was found in QEMU in the usb_ep_get() function in hw/net/core.c. The TD PID needs to be either USB_TOKEN_IN or USB_TOKEN_OUT in usb_ep_get, but in the caller uhci_handle_td it may be USB_TOKEN_SETUP.

An unprivileged guest user may be able to reach the assertion. Users are not directly able to craft URBs, however as a user, one might be able to find a kernel path that would send a TD with PID USB_TOKEN_SETUP to QEMU (which is called USB_PID_SETUP in Linux). For instance in the Linux Kernel, uhci_submit_control in drivers/usb/host/uhci-q.c:789  does link a USB_PID_SETUP TD to the URB.

Upstream issue:
https://gitlab.com/qemu-project/qemu/-/issues/2548
Note You need to log in before you can comment on or make changes to this bug.