From: "Philippe Mathieu-Daudé" <f4bug@amsat.org> To: qemu-devel@nongnu.org Cc: "Peter Maydell" <peter.maydell@linaro.org>, "Prasad J Pandit" <pjp@fedoraproject.org>, "Alexander Bulekov" <alxndr@bu.edu>, "Philippe Mathieu-Daudé" <f4bug@amsat.org>, 1880822@bugs.launchpad.net, "Paolo Bonzini" <pbonzini@redhat.com>, "Philippe Mathieu-Daudé" <philmd@redhat.com> Subject: [PATCH] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid Date: Thu, 4 Jun 2020 19:34:10 +0200 [thread overview] Message-ID: <20200604173410.21074-1-f4bug@amsat.org> (raw) Avoid OOB access by verifying the requested address belong to the actual card size. Return ADDRESS_ERROR when not in range. "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" 4.3.4 Data Write * Block Write Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. Fixes: CVE-2020-13253 Reported-by: Alexander Bulekov <alxndr@bu.edu> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> --- Cc: Prasad J Pandit <pjp@fedoraproject.org> --- hw/sd/sd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 3c06a0ac6d..0ced3b5e14 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1211,6 +1211,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) /* Writing in SPI mode not implemented. */ if (sd->spi) break; + if (addr >= sd->size) { + sd->card_status |= ADDRESS_ERROR; + return sd_r1; + } sd->state = sd_receivingdata_state; sd->data_start = addr; sd->data_offset = 0; -- 2.21.3
WARNING: multiple messages have this Message-ID (diff)
From: "Philippe Mathieu-Daudé" <1880822@bugs.launchpad.net> To: qemu-devel@nongnu.org Subject: [Bug 1880822] [PATCH] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid Date: Thu, 04 Jun 2020 17:34:10 -0000 [thread overview] Message-ID: <20200604173410.21074-1-f4bug@amsat.org> (raw) Message-ID: <20200604173410.s1Jna8NLE5ZgepH6vVuXN77CdqGqCh9b3bsDW1uyMc0@z> (raw) In-Reply-To: 159056340380.1780.3709038768569765525.malonedeb@chaenomeles.canonical.com Avoid OOB access by verifying the requested address belong to the actual card size. Return ADDRESS_ERROR when not in range. "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" 4.3.4 Data Write * Block Write Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. Fixes: CVE-2020-13253 Reported-by: Alexander Bulekov <alxndr@bu.edu> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> --- Cc: Prasad J Pandit <pjp@fedoraproject.org> --- hw/sd/sd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 3c06a0ac6d..0ced3b5e14 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1211,6 +1211,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) /* Writing in SPI mode not implemented. */ if (sd->spi) break; + if (addr >= sd->size) { + sd->card_status |= ADDRESS_ERROR; + return sd_r1; + } sd->state = sd_receivingdata_state; sd->data_start = addr; sd->data_offset = 0; -- 2.21.3 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1880822 Title: CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in DoS Status in QEMU: Confirmed Bug description: An out-of-bounds read access issue was found in the SD Memory Card emulator of the QEMU. It occurs while performing block write commands via sdhci_write(), if a guest user has sent 'address' which is OOB of 's->wp_groups'. A guest user/process may use this flaw to crash the QEMU process resulting in DoS. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1880822/+subscriptions
next reply other threads:[~2020-06-04 17:35 UTC|newest] Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-06-04 17:34 Philippe Mathieu-Daudé [this message] 2020-06-04 17:34 ` [Bug 1880822] [PATCH] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid Philippe Mathieu-Daudé 2020-06-04 18:03 ` Paolo Bonzini 2020-06-04 18:20 ` Philippe Mathieu-Daudé 2020-06-04 18:20 ` [Bug 1880822] " Philippe Mathieu-Daudé -- strict thread matches above, loose matches on Subject: below -- 2020-06-04 18:25 [PATCH v2] " Philippe Mathieu-Daudé 2020-06-04 18:25 ` [Bug 1880822] " Philippe Mathieu-Daudé 2020-06-05 8:34 ` Philippe Mathieu-Daudé 2020-06-05 8:34 ` [Bug 1880822] " Philippe Mathieu-Daudé 2020-05-27 7:10 [Bug 1880822] [NEW] CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in DoS P J P 2020-05-27 7:15 ` [Bug 1880822] " P J P 2020-05-27 7:18 ` P J P 2020-05-27 7:28 ` Philippe Mathieu-Daudé 2020-06-04 15:02 ` Philippe Mathieu-Daudé 2020-06-05 11:12 ` Philippe Mathieu-Daudé 2020-07-16 15:53 ` Philippe Mathieu-Daudé 2020-08-20 14:41 ` Thomas Huth
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200604173410.21074-1-f4bug@amsat.org \ --to=f4bug@amsat.org \ --cc=1880822@bugs.launchpad.net \ --cc=alxndr@bu.edu \ --cc=pbonzini@redhat.com \ --cc=peter.maydell@linaro.org \ --cc=philmd@redhat.com \ --cc=pjp@fedoraproject.org \ --cc=qemu-devel@nongnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.