REDHAT-BUG-1955695
First published: Fri Apr 30 2021(Updated: )
A flaw was found in the USB redirection support (usb-redir) of QEMU. More specifically, usb-host and usb-redirect try to batch bulk transfers by combining many small USB packets into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk sending is used in usbredir_handle_bulk_data() to dynamically allocate a variable length array (VLA) on the stack. Since the total size is not bounded, a malicious guest could be able to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| QEMU |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1956201
- https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html
- https://www.openwall.com/lists/oss-security/2021/05/05/5
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1955695#c5
- https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01372.html
- https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01373.html
- https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
- https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
- https://bugzilla.redhat.com/show_bug.cgi?id=1955695
Frequently Asked Questions
What is the severity of REDHAT-BUG-1955695?
The severity of REDHAT-BUG-1955695 is classified as moderate due to potential impact on USB redirection functionality.
How do I fix REDHAT-BUG-1955695?
To fix REDHAT-BUG-1955695, update your QEMU installation to the latest patched version provided by the vendor.
What components are affected by REDHAT-BUG-1955695?
The components affected by REDHAT-BUG-1955695 are the usb-host and usb-redirect functionalities in QEMU.
What kind of vulnerability is REDHAT-BUG-1955695?
REDHAT-BUG-1955695 is a flaw related to batch processing of USB packets in QEMU's USB redirection support.
Who is the vendor for REDHAT-BUG-1955695?
The vendor for REDHAT-BUG-1955695 is QEMU.
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3527
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/qemu
- canonical/qemu