An infinite loop issue was found in the USB xHCI controller emulation of QEMU. Specifically, function xhci_ring_chain_length() in hw/usb/hcd-xhci.c may get stuck while fetching TRBs from guest memory, since the exit conditions of the loop depend on values that are fully controlled by guest. A privileged guest user may exploit this issue to hang the QEMU process on the host, resulting in a denial of service.
Created qemu tracking bugs for this issue: Affects: epel-7 [bug 1908051] Affects: fedora-all [bug 1908050]
In reply to comment #0: > Specifically, function xhci_ring_chain_length() in hw/usb/hcd-xhci.c > may get stuck while fetching TRBs from guest memory, since the exit > conditions of the loop depend on values that are fully controlled by guest. To be more precise, xhci_ring_chain_length() is responsible for computing the size of the Transfer Request Block (TRB) Ring by repeatedly fetching TRBs from the 'dequeue' pointer.
Statement: This flaw has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Acknowledgments: Name: Gaoning Pan (Ant Security Light-Year Lab), Xingwei Li (Ant Security Light-Year Lab)
Was this issue brought to upstream? (it's low impact but according to several cross-distro bugzilla it seems to somehow has stalled as bugreport to upstream or was not discussed with qemu-devel)? Any idea?
(In reply to Salvatore Bonaccorso from comment #12) > Was this issue brought to upstream? (it's low impact but according to > several cross-distro bugzilla it seems to somehow has stalled as bugreport > to upstream or was not discussed with qemu-devel)? Any idea? I don't recall this being discussed upstream.
In reply to comment #12: > Was this issue brought to upstream? (it's low impact but according to > several cross-distro bugzilla it seems to somehow has stalled as bugreport > to upstream or was not discussed with qemu-devel)? Any idea? I don't think it was. I'm not sure why it got stuck, but I can open a new issue to bring this up.
Upstream issue: https://gitlab.com/qemu-project/qemu/-/issues/646.
Upstream commit: https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc