summary refs log tree commit diff stats
path: root/results/classifier/108/other/646
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/108/other/646')
-rw-r--r--results/classifier/108/other/64633
1 files changed, 33 insertions, 0 deletions
diff --git a/results/classifier/108/other/646 b/results/classifier/108/other/646
new file mode 100644
index 000000000..e64ba7821
--- /dev/null
+++ b/results/classifier/108/other/646
@@ -0,0 +1,33 @@
+device: 0.832
+files: 0.826
+permissions: 0.727
+graphic: 0.723
+network: 0.717
+socket: 0.713
+vnc: 0.701
+PID: 0.680
+other: 0.618
+boot: 0.543
+semantic: 0.541
+debug: 0.507
+performance: 0.449
+KVM: 0.334
+
+Infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c (CVE-2020-14394)
+Description of problem:
+An infinite loop issue was found in the USB xHCI controller emulation of QEMU. Specifically, function `xhci_ring_chain_length()` in hw/usb/hcd-xhci.c may get stuck while fetching empty TRBs from guest memory, since the exit conditions of the loop depend on values that are fully controlled by guest. A privileged guest user may exploit this issue to hang the QEMU process on the host, resulting in a denial of service.
+Steps to reproduce:
+Build and load `xhci.ko` from within the guest:
+
+1) make
+2) insmod xhci.ko
+
+[Makefile](/uploads/98dbf7b4facc9b100817b3c8f63b5cb2/Makefile)
+
+[usb-xhci.h](/uploads/f225524b1553d8cf6c1dfa89369b6edc/usb-xhci.h)
+
+[xhci.c](/uploads/c635f742d12a2bba6ea472ddfe006d56/xhci.c)
+Additional information:
+This issue was reported by Gaoning Pan (Zhejiang University) and Xingwei Li (Ant Security Light-Year Lab).
+
+RH bug: https://bugzilla.redhat.com/show_bug.cgi?id=1908004.