Security fix. Sorry for the last-minute patch, I had completely forgotten this one until the CVE number for it arrived today. Given that the classic usb storage device is way more popular than the uas (usb attached scsi) device the impact should be pretty low and we might consider to not screw up our release schedule for this. take care, Gerd Gerd Hoffmann (1): uas: add stream number sanity checks. hw/usb/dev-uas.c | 11 +++++++++++ 1 file changed, 11 insertions(+) -- 2.31.1
On 8/18/21 2:05 PM, Gerd Hoffmann wrote: > Security fix. Sorry for the last-minute patch, I had completely > forgotten this one until the CVE number for it arrived today. > > Given that the classic usb storage device is way more popular than > the uas (usb attached scsi) device the impact should be pretty low > and we might consider to not screw up our release schedule for this. So 6.1-rc5 or stable?
On Wed, 18 Aug 2021 at 13:10, Gerd Hoffmann <kraxel@redhat.com> wrote: > > Security fix. Sorry for the last-minute patch, I had completely > forgotten this one until the CVE number for it arrived today. > > Given that the classic usb storage device is way more popular than > the uas (usb attached scsi) device the impact should be pretty low > and we might consider to not screw up our release schedule for this. What's the impact if the bug is exploited ? -- PMM
Cc'ing Mauro to double-check. On 8/20/21 2:12 PM, Peter Maydell wrote: > On Wed, 18 Aug 2021 at 13:10, Gerd Hoffmann <kraxel@redhat.com> wrote: >> >> Security fix. Sorry for the last-minute patch, I had completely >> forgotten this one until the CVE number for it arrived today. >> >> Given that the classic usb storage device is way more popular than >> the uas (usb attached scsi) device the impact should be pretty low >> and we might consider to not screw up our release schedule for this. > > What's the impact if the bug is exploited ? Bug class: "guest-triggered user-after-free". Being privileged (root) in the guest, you can leak some data from the host process then DoS the host or potentially exploit the use-after-free to execute code on the host.
Hi, On Fri, Aug 20, 2021 at 3:07 PM Philippe Mathieu-Daudé <philmd@redhat.com> wrote: > > Cc'ing Mauro to double-check. > > On 8/20/21 2:12 PM, Peter Maydell wrote: > > On Wed, 18 Aug 2021 at 13:10, Gerd Hoffmann <kraxel@redhat.com> wrote: > >> > >> Security fix. Sorry for the last-minute patch, I had completely > >> forgotten this one until the CVE number for it arrived today. > >> > >> Given that the classic usb storage device is way more popular than > >> the uas (usb attached scsi) device the impact should be pretty low > >> and we might consider to not screw up our release schedule for this. > > > > What's the impact if the bug is exploited ? > > Bug class: "guest-triggered user-after-free". > > Being privileged (root) in the guest, you can leak some data from > the host process then DoS the host or potentially exploit the > use-after-free to execute code on the host. > This is actually an out-of-bounds access issue (not UAF). It's still potentially bad, but I agree with Gerd the impact is low. Plus there's an assert right before [1] that makes it a DoS if the accessed memory is not NULL. [1] https://gitlab.com/qemu-project/qemu/-/blob/master/hw/usb/dev-uas.c#L850 Regards. -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
On Mon, 23 Aug 2021 at 10:59, Mauro Matteo Cascella <mcascell@redhat.com> wrote: > > Hi, > > On Fri, Aug 20, 2021 at 3:07 PM Philippe Mathieu-Daudé > <philmd@redhat.com> wrote: > > > > Cc'ing Mauro to double-check. > > > > On 8/20/21 2:12 PM, Peter Maydell wrote: > > > On Wed, 18 Aug 2021 at 13:10, Gerd Hoffmann <kraxel@redhat.com> wrote: > > >> > > >> Security fix. Sorry for the last-minute patch, I had completely > > >> forgotten this one until the CVE number for it arrived today. > > >> > > >> Given that the classic usb storage device is way more popular than > > >> the uas (usb attached scsi) device the impact should be pretty low > > >> and we might consider to not screw up our release schedule for this. > > > > > > What's the impact if the bug is exploited ? > > > > Bug class: "guest-triggered user-after-free". > > > > Being privileged (root) in the guest, you can leak some data from > > the host process then DoS the host or potentially exploit the > > use-after-free to execute code on the host. > > > > This is actually an out-of-bounds access issue (not UAF). It's still > potentially bad, but I agree with Gerd the impact is low. Plus there's > an assert right before [1] that makes it a DoS if the accessed memory > is not NULL. Thanks. OK, (and following discussion of this on irc on Friday) we won't put this fix into 6.1. (That is, we treat it the same way we would if the CVE patch had arrived the day after we tagged 6.1, ie distros and other interested parties pick up the patch as they would any other security fix.) -- PMM
© 2016 - 2024 Red Hat, Inc.