qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/1] uas: add stream number sanity checks (maybe 6.1)

From: Mauro Matteo Cascella
Subject: Re: [PATCH 0/1] uas: add stream number sanity checks (maybe 6.1)
Date: Mon, 23 Aug 2021 11:59:07 +0200 
Hi,

On Fri, Aug 20, 2021 at 3:07 PM Philippe Mathieu-Daudé
<philmd@redhat.com> wrote:
>
> Cc'ing Mauro to double-check.
>
> On 8/20/21 2:12 PM, Peter Maydell wrote:
> > On Wed, 18 Aug 2021 at 13:10, Gerd Hoffmann <kraxel@redhat.com> wrote:
> >>
> >> Security fix.  Sorry for the last-minute patch, I had completely
> >> forgotten this one until the CVE number for it arrived today.
> >>
> >> Given that the classic usb storage device is way more popular than
> >> the uas (usb attached scsi) device the impact should be pretty low
> >> and we might consider to not screw up our release schedule for this.
> >
> > What's the impact if the bug is exploited ?
>
> Bug class: "guest-triggered user-after-free".
>
> Being privileged (root) in the guest, you can leak some data from
> the host process then DoS the host or potentially exploit the
> use-after-free to execute code on the host.
>

This is actually an out-of-bounds access issue (not UAF). It's still
potentially bad, but I agree with Gerd the impact is low. Plus there's
an assert right before [1] that makes it a DoS if the accessed memory
is not NULL.

[1] https://gitlab.com/qemu-project/qemu/-/blob/master/hw/usb/dev-uas.c#L850

Regards.
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
reply via email to
[Prev in Thread] Current Thread [Next in Thread]