-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To all, A red hat security member has posted information about a heap overflow in the qemu usb stack; please see below for forwarded message. Regards, Mark

Hello,

Correct post load checks: 1. dev->setup_len == sizeof(dev->data_buf) seems fine, no need to fail migration 2. When state is DATA, passing index > len will cause memcpy with negative length, resulting in heap overflow

An user able to alter the saved VM data(either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

Upstream fix: ------------- -> http://article.gmane.org/gmane.comp.emulators.qemu/272322

Thank you. -- Prasad J Pandit / Red Hat Security Response Team

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlNyVyAACgkQZ/Z80n6+J/bILQD/byjN4pCdSVMg6PEIfy91ZE/X 4dxLldlhpTLE6uXzpBMA+QHsVCfpm/wr0ZUyjjfmNqXkJkpGjjpAJtoj0cxdm+bl =Ya9G -----END PGP SIGNATURE-----