Vigil@nce: QEMU KVM, buffer overflow of usb_host_handle_control
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker inside a KVM guest system can access to an USB device, in order to generate an overflow in usb_host_handle_control() leading to a denial of service and possibly to code execution.
Consequences: administrator access/rights, denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 09/02/2010
Red Hat Enterprise Linux
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
When a USB device is plugged, it can be accessed by a KVM guest system.
USB exchanges are handled by the usb_host_handle_control() function of the usb-linux.c file of QEMU KVM. However, if USB control data are too big, a buffer overflow occurs.
An attacker inside a KVM guest system can therefore access to an USB device, in order to generate an overflow in usb_host_handle_control() leading to a denial of service and possibly to code execution.
Identifiers: 557025, BID-38158, CVE-2010-0297, RHSA-2010:0088-02, VIGILANCE-VUL-9421