[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/1] uas: add stream number sanity checks (maybe 6.1)
|
From: |
Peter Maydell |
|
Subject: |
Re: [PATCH 0/1] uas: add stream number sanity checks (maybe 6.1) |
|
Date: |
Mon, 23 Aug 2021 11:18:22 +0100 |
On Mon, 23 Aug 2021 at 10:59, Mauro Matteo Cascella <mcascell@redhat.com> wrote:
>
> Hi,
>
> On Fri, Aug 20, 2021 at 3:07 PM Philippe Mathieu-Daudé
> <philmd@redhat.com> wrote:
> >
> > Cc'ing Mauro to double-check.
> >
> > On 8/20/21 2:12 PM, Peter Maydell wrote:
> > > On Wed, 18 Aug 2021 at 13:10, Gerd Hoffmann <kraxel@redhat.com> wrote:
> > >>
> > >> Security fix. Sorry for the last-minute patch, I had completely
> > >> forgotten this one until the CVE number for it arrived today.
> > >>
> > >> Given that the classic usb storage device is way more popular than
> > >> the uas (usb attached scsi) device the impact should be pretty low
> > >> and we might consider to not screw up our release schedule for this.
> > >
> > > What's the impact if the bug is exploited ?
> >
> > Bug class: "guest-triggered user-after-free".
> >
> > Being privileged (root) in the guest, you can leak some data from
> > the host process then DoS the host or potentially exploit the
> > use-after-free to execute code on the host.
> >
>
> This is actually an out-of-bounds access issue (not UAF). It's still
> potentially bad, but I agree with Gerd the impact is low. Plus there's
> an assert right before [1] that makes it a DoS if the accessed memory
> is not NULL.
Thanks. OK, (and following discussion of this on irc on Friday)
we won't put this fix into 6.1. (That is, we treat it the same way
we would if the CVE patch had arrived the day after we tagged 6.1,
ie distros and other interested parties pick up the patch as they
would any other security fix.)
-- PMM