QEMU: usb: out-of-bounds r/w access issue

ISSUE DESCRIPTION

An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when ‘USBDevice->setup_len’ exceeds the USBDevice->data_buf[4096], in do_token_{in,out} routines.

IMPACT

A guest user may use this flaw to crash the QEMU process resulting in DoS OR potentially execute arbitrary code with the privileges of the QEMU process on the host.

VULNERABLE SYSTEMS

All versions of Qemu shipped with in-support versions of Xen are vulnerable. This includes both qemu-traditional and qemu-xen.
The vulnerability can only be exploited when Qemu is used as a device model. This configuration is only used by default for x86 HVM guests. x86 PV, PVH and ARM guest do not use a device model by default.
Guests configured to use a Qemu stubdomain contain the code execution within the stubdomain, and are therefore not considered vulnerable.