Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 5 May 2021 19:09:40 +0200
From: Mauro Matteo Cascella <mcascell@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Remy Noel <remy.noel@...de-group.com>
Subject: CVE-2021-3527 QEMU: usb: unbounded stack allocation in usbredir

Hello,

A flaw was found in the USB redirector device (usb-redir) of QEMU.
Small USB packets are combined into a single, large transfer request,
to reduce the overhead and improve performance. The combined size of
the bulk transfer is used to dynamically allocate a variable length
array (VLA) on the stack without proper validation. Since the total
size is not bounded, a malicious guest could use this flaw to
influence the array length and cause the QEMU process to perform an
excessive allocation on the stack, resulting in a denial of service.

Note: in addition to usb-redir, the patchset below fixes other places
in the code where stack-allocated VLAs were used (notably, usb/hid and
usb/mtp).

Upstream patchset:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html

Acknowledgements: Remy Noel (cc'd).
CVE-2021-3527 assigned by Red Hat, Inc.

Best regards.
-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.