CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets

[P J P <ppandit () redhat com>]

  Hello,

An out-of-bounds read/write access issue was found in the USB emulator of the 
QEMU. It occurs while processing USB packets from a guest, when 
'USBDevice->setup_len' exceeds the USBDevice->data_buf[4096], in 
do_token_{in,out} routines.

A guest user may use this flaw to crash the QEMU process resulting in DoS OR 
potentially execute arbitrary code with the privileges of the QEMU process on 
the host.

* Attached herein is an upstream patch from Gerd Hoffmann(CC'd) to fix this
  issue.

* 'CVE-2020-14364' is assigned to this issue by Red Hat Inc.

* This issue was independently reported by Ziming Zhang, Gonglei Arei and
  Yanyu Zhang(CC'd).

  Gonglei and Yanyu mentioned that the issue was found by Xiao Wei(CC'd).


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

Attachment: 0001-usb-fix-setup-len-init.patch
Description: