blob: e64ba7821afddd543de7d472a387ddeadd8e1ce4 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
device: 0.832
files: 0.826
permissions: 0.727
graphic: 0.723
network: 0.717
socket: 0.713
vnc: 0.701
PID: 0.680
other: 0.618
boot: 0.543
semantic: 0.541
debug: 0.507
performance: 0.449
KVM: 0.334
Infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c (CVE-2020-14394)
Description of problem:
An infinite loop issue was found in the USB xHCI controller emulation of QEMU. Specifically, function `xhci_ring_chain_length()` in hw/usb/hcd-xhci.c may get stuck while fetching empty TRBs from guest memory, since the exit conditions of the loop depend on values that are fully controlled by guest. A privileged guest user may exploit this issue to hang the QEMU process on the host, resulting in a denial of service.
Steps to reproduce:
Build and load `xhci.ko` from within the guest:
1) make
2) insmod xhci.ko
[Makefile](/uploads/98dbf7b4facc9b100817b3c8f63b5cb2/Makefile)
[usb-xhci.h](/uploads/f225524b1553d8cf6c1dfa89369b6edc/usb-xhci.h)
[xhci.c](/uploads/c635f742d12a2bba6ea472ddfe006d56/xhci.c)
Additional information:
This issue was reported by Gaoning Pan (Zhejiang University) and Xingwei Li (Ant Security Light-Year Lab).
RH bug: https://bugzilla.redhat.com/show_bug.cgi?id=1908004.
|