Bug 959006 – VUL-0: CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state results in DoS

Bug 959006 - VUL-0: CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state results in DoS


Summary:	VUL-0: CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state res...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2015-8558:2.3:(AV:A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-12-14 15:38 UTC by Marcus Meissner
Modified:	2019-05-01 16:55 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-12-14 15:38:19 UTC

+++ This bug was initially created as a clone of Bug #959005 +++

via oss-sec

From: P J P <ppandit@redhat.com>
Date: Mon, 14 Dec 2015 20:40:29 +0530 (IST)
Subject: [oss-security] CVE request Qemu: usb: infinite loop in ehci_advance_state results in DoS

   Hello,

Qemu emulator built with the USB EHCI emulation support is vulnerable to an 
infinite loop issue. It occurs during communication between host controller 
interface(EHCI) and a respective device driver. These two communicate via a 
isochronous transfer descriptor list(iTD) and an infinite loop unfolds if 
there is a closed loop in this list.

A privileges user inside guest could use this flaw to consume excessive CPU 
cycles & resources on the host.

Upstream fix:
- -------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02124.html

This issue was discovered by Qinghao Tang of QIHU 360 Marvel Team.

Thank you.
- --
Prasad J Pandit / Red Hat Product Security Team

Comment 1 Marcus Meissner 2015-12-14 15:40:38 UTC

11-sp3 xen seems to have the code, before its not there

Comment 2 Swamp Workflow Management 2015-12-14 23:01:17 UTC

bugbot adjusting priority

Comment 3 Marcus Meissner 2015-12-15 07:31:34 UTC

CVE-2015-8558

Comment 4 Swamp Workflow Management 2016-01-14 21:15:44 UTC

openSUSE-SU-2016:0123-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 954018,956408,956409,956411,956592,956832,957988,958007,958009,958493,958523,958918,959006,959387
CVE References: CVE-2015-5307,CVE-2015-7504,CVE-2015-7549,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568
Sources used:
openSUSE 13.2 (src):    xen-4.4.3_08-36.1

Comment 5 Swamp Workflow Management 2016-01-14 21:18:49 UTC

openSUSE-SU-2016:0124-1: An update that solves 15 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 947165,950704,954018,954405,956408,956409,956411,956592,956832,957988,958007,958009,958493,958523,958918,959006
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7549,CVE-2015-7970,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_10-53.1

Comment 6 Swamp Workflow Management 2016-01-14 21:21:23 UTC

openSUSE-SU-2016:0126-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 954018,956408,956409,956411,956592,956832,957988,958007,958009,958493,958523,958918,959006,959387
CVE References: CVE-2015-5307,CVE-2015-7504,CVE-2015-7549,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.2_04-9.2

Comment 7 Charles Arnold 2016-02-27 00:34:56 UTC

This bug may be included in one or more of the
submissions listed below.

SUSE:SLE-12-SP1:Update: 98638
SUSE:SLE-12:Update: 98642
SUSE:SLE-11-SP4:Update: 98646
SUSE:SLE-11-SP3:Update: 98650
SUSE:SLE-11-SP2:Update: 98654
SUSE:SLE-11-SP1:Update:Teradata: 98658
SUSE:SLE-11-SP1:Update: 98662
SUSE:SLE-10-SP4:Update:Test: 98666
SUSE:SLE-10-SP3:Update:Test: 98670

openSUSE:Factory: 362063
openSUSE:Leap:42.1:Update: 362057
openSUSE:13.2:Update: 362060

Comment 8 Swamp Workflow Management 2016-05-17 16:09:11 UTC

SUSE-SU-2016:1318-1: An update that solves 45 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 954872,956832,957988,958007,958009,958493,958523,958918,959006,959387,959695,960707,960726,960836,960861,960862,961332,961358,961692,962321,962335,962360,962611,962627,962632,962642,962758,963783,963923,964415,964431,964452,964644,964746,964925,964929,964947,964950,965112,965156,965269,965315,965317,967090,967101,968004,969125,969126
CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-7549,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.4_02-22.19.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.4_02-22.19.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.4_02-22.19.1