Infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c (CVE-2020-14394)
Host environment
-
Operating system: Fedora 33
-
OS/kernel version: 5.13.16-100.fc33.x86_64
-
Architecture: x86
-
QEMU flavor: qemu-system-x86_64
-
QEMU version: 6.1.50 (v6.1.0-861-g22651bced7)
-
QEMU command line:
./x86_64-softmmu/qemu-system-x86_64 -enable-kvm -m 4G -device nec-usb-xhci,id=xhci,slots=64 -device usb-tablet,bus=xhci.0,port=1,id=usbdev1 -hda fedora32.qcow2
Emulated/Virtualized environment
- Operating system: Fedora 32
- OS/kernel version: 5.11.22-100.fc32.x86_64
- Architecture: x86
Description of problem
An infinite loop issue was found in the USB xHCI controller emulation of QEMU. Specifically, function xhci_ring_chain_length()
in hw/usb/hcd-xhci.c may get stuck while fetching empty TRBs from guest memory, since the exit conditions of the loop depend on values that are fully controlled by guest. A privileged guest user may exploit this issue to hang the QEMU process on the host, resulting in a denial of service.
Steps to reproduce
Build and load xhci.ko
from within the guest:
- make
- insmod xhci.ko
Additional information
This issue was reported by Gaoning Pan (Zhejiang University) and Xingwei Li (Ant Security Light-Year Lab).
RH bug: https://bugzilla.redhat.com/show_bug.cgi?id=1908004.