A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
| Link | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1955695 | issue tracking third party advisory patch |
| https://www.openwall.com/lists/oss-security/2021/05/05/5 | mailing list third party advisory patch |
| https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 | third party advisory patch |
| https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c | third party advisory patch |
| https://security.netapp.com/advisory/ntap-20210708-0008/ | third party advisory |
| https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html | third party advisory mailing list |
| https://security.gentoo.org/glsa/202208-27 | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html | third party advisory mailing list |