Vigil@nce: QEMU KVM, buffer overflow of usb_host_handle_control
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker inside a KVM guest system can access to an USB device,
in order to generate an overflow in usb_host_handle_control()
leading to a denial of service and possibly to code execution.
Severity: 2/4
Consequences: administrator access/rights, denial of service of
computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 09/02/2010
IMPACTED PRODUCTS
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
When a USB device is plugged, it can be accessed by a KVM guest
system.
USB exchanges are handled by the usb_host_handle_control()
function of the usb-linux.c file of QEMU KVM. However, if USB
control data are too big, a buffer overflow occurs.
An attacker inside a KVM guest system can therefore access to an
USB device, in order to generate an overflow in
usb_host_handle_control() leading to a denial of service and
possibly to code execution.
CHARACTERISTICS
Identifiers: 557025, BID-38158, CVE-2010-0297, RHSA-2010:0088-02,
VIGILANCE-VUL-9421
http://vigilance.fr/vulnerability/QEMU-KVM-buffer-overflow-of-usb-host-handle-control-9421