oss-sec mailing list archives

CVE request Qemu: usb: infinite loop in ehci_advance_state results in DoS

From: P J P <ppandit () redhat com>
Date: Mon, 14 Dec 2015 20:40:29 +0530 (IST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Hello,

Qemu emulator built with the USB EHCI emulation support is vulnerable to aninfinite loop issue. It occurs during communication between host controllerinterface(EHCI) and a respective device driver. These two communicate via aisochronous transfer descriptor list(iTD) and an infinite loop unfolds ifthere is a closed loop in this list.

A privileges user inside guest could use this flaw to consume excessive CPUcycles & resources on the host.


Upstream fix:
- -------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02124.html

This issue was discovered by Qinghao Tang of QIHU 360 Marvel Team.

Thank you.
- --
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWbtvmAAoJEN0TPTL+WwQf3MIQAJDWcJuiUFDPuHWQU1iVoUT3
Cp0PUxY37ldRTq3TYGw/7UEIJscULwDiVqtmkso+f67v70BRh8cQf/HiIDM93Zq8
fb9q4l3JSZZu6pSGiJKe2C7iwoIT5SA0JqzYhQQFlZvt/osFIxFtcAg+ribl092b
QMtNksA2/mUL7L+LP4mHgzAy0tTDNMp/fPE189bZID6iLvul1sQxE1HdBsRhYVDU
4Q0FWSO62If21/GyI5Rqrh11tpeXeWdqIYfJVETxdSzLzgqHlT6GyH5iZfnoTMxI
3H8yrqsFGFZhJP7caFd51cK+CbBAN/PP4z6SRfKJsPjX9eJp8YX1+u3WrvU/sMTA
f8dPDRnD0VZgW9dku0ETxXGuV4rXN17CgNm6i7Qft1JHZA5OGlxewMX2pgAcp/cM
9eVaBWPUKAjei1GUNfhxX3DLeSDt5cC83ICEedNhozY5k9UuwUGTl/p5I5UQVuqY
Z4xiDzuUE3O0IVpEQvyF3eiYd5dRFrq3qo6NG/KEd+A7dCmVprJLWGzMjbp/Onmz
LQFyw8eI+Q2znFqpSKNnYDjZemw2cTEkuHBXnWKOgtPb7iisWE3ke9WLVhgcc3O7
nT9raTZXn3feowabwDpBu+BOmejiN1TXkNR3e/CpBLqvZlatGdc1KCPm58zxTMWs
SZm4zSvaSyky/pMJonCU
=SYEW
-----END PGP SIGNATURE-----

Current thread:

CVE request Qemu: usb: infinite loop in ehci_advance_state results in DoS P J P (Dec 14)
- Re: CVE request Qemu: usb: infinite loop in ehci_advance_state results in DoS cve-assign (Dec 14)