CVE-2021-3527: 
NixOS vulnerability analysis and mitigation

A flaw was discovered in the USB redirector device (usb-redir) of QEMU, identified as CVE-2021-3527. The vulnerability was found in how QEMU handles USB packet combinations, where small USB packets are combined into a single, large transfer request to improve performance and reduce overhead. The issue was disclosed in May 2021 and affects QEMU's USB redirection support, specifically the usb-host and usb-redirect components (Openwall List).

The vulnerability stems from the use of a variable length array (VLA) on the stack in the usbredirhandlebulk_data() function. The combined size of bulk transfers is used to dynamically allocate this array without proper size validation. Since the total size is not bounded, this could lead to excessive stack allocation. The issue has been assigned a CVSS score of 5.5 (MEDIUM) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

When successfully exploited, this vulnerability could result in a denial of service (DoS) condition. A malicious guest could influence the array length and cause the QEMU process to perform an excessive allocation on the stack, potentially crashing the QEMU process (Debian LTS).

The issue was addressed through two main fixes: avoiding dynamic stack allocation by using autofree heap allocation instead, and implementing a size limit of 1 MiB for combined packets to restrict the host resources the guest can bind. These fixes were implemented in upstream commits (QEMU Commit, QEMU Commit).