September 21, 2020

CVE-2020-14364: QEMU USB module out-of-bounds read and write Vulnerability Alert

2 min read
Recently, 2020, QEMU issued a risk notice for the qemu memory out-of-bounds vulnerability. The vulnerability number is CVE-2020-14364, the vulnerability level is severe, and the vulnerability score is 10. By constructing special memory data, the attacker can cause the virtual machine to escape and execute arbitrary code.Linux kernel updates

Vulnerability Detail

The vulnerability exists in the Qemu USB module, which can cause out-of-bounds reading and writing, and thus realize virtual machine escape.
@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
 static void do_token_setup(USBDevice *s, USBPacket *p)
 {
     int request, value, index;
+    unsigned int setup_len;

     if (p->iov.size != 8) {
         p->status = USB_RET_STALL;
@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
     usb_packet_copy(p, s->setup_buf, p->iov.size);
     s->setup_index = 0;
     p->actual_length = 0;
-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
-    if (s->setup_len > sizeof(s->data_buf)) {
+    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+    if (setup_len > sizeof(s->data_buf)) {
         fprintf(stderr,
                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
-                s->setup_len, sizeof(s->data_buf));
+                setup_len, sizeof(s->data_buf));
         p->status = USB_RET_STALL;
         return;
     }
+    s->setup_len = setup_len;

All versions of Qemu shipped with in-support versions of Xen are vulnerable. This includes both qemu-traditional and qemu-xen.

The vulnerability can only be exploited when Qemu is used as a device model. This configuration is only used by default for x86 HVM guests. x86 PV, PVH and ARM guest do not use a device model by default.

Guests configured to use a Qemu stubdomain contain the code execution within the stubdomain, and are therefore not considered vulnerable.

Solution

In this regard, we recommend that users apply the latest repair solution to qemu in time. You should read the patch to migrate this vulnerability

XSA-335 – Xen Security Advisories

Red Hat:

Red Hat Customer Portal

Debian:

Debian CVE-2020-14364