Bug 1043073 (CVE-2017-9374)

Summary: VUL-0: CVE-2017-9374: kvm,qemu: usb: ehci host memory leakage during hotunplug
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Fei Li <fli>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: brogers, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/186308/
Whiteboard: CVSSv3:RedHat:CVE-2017-9374:3.0:(AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L) CVSSv3:SUSE:CVE-2017-9374:3.8:(AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L) CVSSv2:RedHat:CVE-2017-9374:2.3:(AV:A/AC:M/Au:S/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2017-9374:1.7:(AV:L/AC:L/Au:S/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-9374:2.1:(AV:L/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2017-9374:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1043074    

Description Johannes Segitz 2017-06-07 08:34:43 UTC
author	Li Qiang

In usb_ehci_init function, it initializes 's->ipacket', but there
is no corresponding function to free this. As the ehci can be hotplug
and unplug, this will leak host memory leak. In order to make the
hierarchy clean, we should add a ehci pci finalize function, then call
the clean function in ehci device.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1459132
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9374
http://seclists.org/oss-sec/2017/q2/420
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9374.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9374
http://git.qemu.org/?p=qemu.git;a=commit;h=d710e1e7bd3d5bfc26b631f02ae87901ebe646b0
Comment 1 Swamp Workflow Management 2017-07-04 19:20:47 UTC
SUSE-SU-2017:1774-1: An update that solves 23 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1016503,1016504,1017081,1017084,1020427,1021741,1025109,1025311,1028184,1028656,1030624,1031142,1032075,1034866,1034908,1035406,1035950,1036211,1037242,1037334,1037336,1039495,1042159,1042800,1042801,1043073,1043296
CVE References: CVE-2016-10028,CVE-2016-10029,CVE-2016-9602,CVE-2016-9603,CVE-2017-5579,CVE-2017-5973,CVE-2017-5987,CVE-2017-6505,CVE-2017-7377,CVE-2017-7471,CVE-2017-7493,CVE-2017-7718,CVE-2017-7980,CVE-2017-8086,CVE-2017-8112,CVE-2017-8309,CVE-2017-8379,CVE-2017-8380,CVE-2017-9330,CVE-2017-9373,CVE-2017-9374,CVE-2017-9375,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    qemu-2.6.2-41.16.1
SUSE Linux Enterprise Server 12-SP2 (src):    qemu-2.6.2-41.16.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    qemu-2.6.2-41.16.1
Comment 2 Swamp Workflow Management 2017-07-14 22:14:21 UTC
openSUSE-SU-2017:1872-1: An update that solves 23 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1016503,1016504,1017081,1017084,1020427,1021741,1025109,1025311,1028184,1028656,1030624,1031142,1032075,1034866,1034908,1035406,1035950,1036211,1037242,1037334,1037336,1039495,1042159,1042800,1042801,1043073,1043296
CVE References: CVE-2016-10028,CVE-2016-10029,CVE-2016-9602,CVE-2016-9603,CVE-2017-5579,CVE-2017-5973,CVE-2017-5987,CVE-2017-6505,CVE-2017-7377,CVE-2017-7471,CVE-2017-7493,CVE-2017-7718,CVE-2017-7980,CVE-2017-8086,CVE-2017-8112,CVE-2017-8309,CVE-2017-8379,CVE-2017-8380,CVE-2017-9330,CVE-2017-9373,CVE-2017-9374,CVE-2017-9375,CVE-2017-9503
Sources used:
openSUSE Leap 42.2 (src):    qemu-2.6.2-31.3.3, qemu-linux-user-2.6.2-31.3.1, qemu-testsuite-2.6.2-31.3.6
Comment 3 Bruce Rogers 2017-09-11 21:02:51 UTC
This patch is now qemu's upstream git commit id d710e1e7bd3d5bfc26b631f02ae87901ebe646b0
Comment 4 Marcus Meissner 2017-10-25 19:41:38 UTC
released
Comment 5 Swamp Workflow Management 2017-11-08 11:13:08 UTC
SUSE-SU-2017:2946-1: An update that solves 33 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1020427,1021741,1025109,1025311,1028184,1028656,1030624,1032075,1034866,1034908,1035406,1035950,1036211,1037242,1037334,1037336,1039495,1042159,1042800,1042801,1043073,1043296,1045035,1046636,1047674,1048902,1049381,1054724,1056334,1057378,1057585,1062069,1063122,994418,994605
CVE References: CVE-2016-6834,CVE-2016-6835,CVE-2016-9602,CVE-2016-9603,CVE-2017-10664,CVE-2017-10806,CVE-2017-10911,CVE-2017-11334,CVE-2017-11434,CVE-2017-12809,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15289,CVE-2017-5579,CVE-2017-5973,CVE-2017-5987,CVE-2017-6505,CVE-2017-7377,CVE-2017-7471,CVE-2017-7493,CVE-2017-7718,CVE-2017-7980,CVE-2017-8086,CVE-2017-8112,CVE-2017-8309,CVE-2017-8379,CVE-2017-8380,CVE-2017-9330,CVE-2017-9373,CVE-2017-9374,CVE-2017-9375,CVE-2017-9503
Sources used:
SUSE OpenStack Cloud 6 (src):    qemu-2.3.1-33.3.3
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    qemu-2.3.1-33.3.3
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    qemu-2.3.1-33.3.3