Hi, On Fri, Aug 20, 2021 at 3:07 PM Philippe Mathieu-Daudé <phi...@redhat.com> wrote: > > Cc'ing Mauro to double-check. > > On 8/20/21 2:12 PM, Peter Maydell wrote: > > On Wed, 18 Aug 2021 at 13:10, Gerd Hoffmann <kra...@redhat.com> wrote: > >> > >> Security fix. Sorry for the last-minute patch, I had completely > >> forgotten this one until the CVE number for it arrived today. > >> > >> Given that the classic usb storage device is way more popular than > >> the uas (usb attached scsi) device the impact should be pretty low > >> and we might consider to not screw up our release schedule for this. > > > > What's the impact if the bug is exploited ? > > Bug class: "guest-triggered user-after-free". > > Being privileged (root) in the guest, you can leak some data from > the host process then DoS the host or potentially exploit the > use-after-free to execute code on the host. >
This is actually an out-of-bounds access issue (not UAF). It's still potentially bad, but I agree with Gerd the impact is low. Plus there's an assert right before [1] that makes it a DoS if the accessed memory is not NULL. [1] https://gitlab.com/qemu-project/qemu/-/blob/master/hw/usb/dev-uas.c#L850 Regards. -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
