Vigil@nce - QEMU: memory leak via the USB OHCI emulation
March 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A privileged attacker in the guest platform can create a memory
leak in the OHCI emulation of QEMU, in order to trigger a denial
of service.
Impacted products: QEMU.
Severity: 1/4.
Creation date: 16/02/2016.
DESCRIPTION OF THE VULNERABILITY
The QEMU product is an hardware emulator. In can emulate USB buses
and devices with OHCI interfaces.
When the emulated USB controller changes state, QEMU allocates a
timer. However, it does not check whether a timer for this usage
already exists. In such a case, the existing timer become lost,
creating a memory leak. Moreover, this multiple allocation may
lead to the use of a NULL pointer after one of the redundant time
is freed.
A privileged attacker in the guest platform can therefore create a
memory leak in the OHCI emulation of QEMU, in order to trigger a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/QEMU-memory-leak-via-the-USB-OHCI-emulation-18957