The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Qemu | Qemu | * | 2.5.1.1 (including) |
| Qemu | Ubuntu | esm-infra-legacy/trusty | * |
| Qemu | Ubuntu | esm-infra/xenial | * |
| Qemu | Ubuntu | trusty | * |
| Qemu | Ubuntu | trusty/esm | * |
| Qemu | Ubuntu | upstream | * |
| Qemu | Ubuntu | vivid | * |
| Qemu | Ubuntu | wily | * |
| Qemu | Ubuntu | xenial | * |
| Qemu-kvm | Ubuntu | precise | * |
| Qemu-kvm | Ubuntu | upstream | * |
Potential Mitigations
References
- http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=fa1298c2d623522eda7b4f1f721fcb935abb7360
- http://www.openwall.com/lists/oss-security/2016/02/16/2
- http://www.securityfocus.com/bid/83263
- http://www.ubuntu.com/usn/USN-2974-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1304794
- https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
- https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03374.html
- http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=fa1298c2d623522eda7b4f1f721fcb935abb7360
- http://www.openwall.com/lists/oss-security/2016/02/16/2
- http://www.securityfocus.com/bid/83263
- http://www.ubuntu.com/usn/USN-2974-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1304794
- https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
- https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03374.html