From: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
"Alexander Bulekov" <alxndr@bu.edu>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
1880822@bugs.launchpad.net, "Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: [PATCH] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid
Date: Thu, 4 Jun 2020 19:34:10 +0200 [thread overview]
Message-ID: <20200604173410.21074-1-f4bug@amsat.org> (raw)
Avoid OOB access by verifying the requested address belong to
the actual card size. Return ADDRESS_ERROR when not in range.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.4 Data Write
* Block Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Fixes: CVE-2020-13253
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/sd/sd.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 3c06a0ac6d..0ced3b5e14 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1211,6 +1211,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
+ if (addr >= sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+ }
sd->state = sd_receivingdata_state;
sd->data_start = addr;
sd->data_offset = 0;
--
2.21.3
WARNING: multiple messages have this Message-ID (diff)
From: "Philippe Mathieu-Daudé" <1880822@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1880822] [PATCH] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid
Date: Thu, 04 Jun 2020 17:34:10 -0000 [thread overview]
Message-ID: <20200604173410.21074-1-f4bug@amsat.org> (raw)
Message-ID: <20200604173410.s1Jna8NLE5ZgepH6vVuXN77CdqGqCh9b3bsDW1uyMc0@z> (raw)
In-Reply-To: 159056340380.1780.3709038768569765525.malonedeb@chaenomeles.canonical.com
Avoid OOB access by verifying the requested address belong to
the actual card size. Return ADDRESS_ERROR when not in range.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.4 Data Write
* Block Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Fixes: CVE-2020-13253
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/sd/sd.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 3c06a0ac6d..0ced3b5e14 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1211,6 +1211,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
+ if (addr >= sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+ }
sd->state = sd_receivingdata_state;
sd->data_start = addr;
sd->data_offset = 0;
--
2.21.3
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880822
Title:
CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in
DoS
Status in QEMU:
Confirmed
Bug description:
An out-of-bounds read access issue was found in the SD Memory Card
emulator of the QEMU. It occurs while performing block write commands
via sdhci_write(), if a guest user has sent 'address' which is OOB of
's->wp_groups'. A guest user/process may use this flaw to crash the
QEMU process resulting in DoS.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880822/+subscriptions
next reply other threads:[~2020-06-04 17:35 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-04 17:34 Philippe Mathieu-Daudé [this message]
2020-06-04 17:34 ` [Bug 1880822] [PATCH] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid Philippe Mathieu-Daudé
2020-06-04 18:03 ` Paolo Bonzini
2020-06-04 18:20 ` Philippe Mathieu-Daudé
2020-06-04 18:20 ` [Bug 1880822] " Philippe Mathieu-Daudé
-- strict thread matches above, loose matches on Subject: below --
2020-06-04 18:25 [PATCH v2] " Philippe Mathieu-Daudé
2020-06-04 18:25 ` [Bug 1880822] " Philippe Mathieu-Daudé
2020-06-05 8:34 ` Philippe Mathieu-Daudé
2020-06-05 8:34 ` [Bug 1880822] " Philippe Mathieu-Daudé
2020-05-27 7:10 [Bug 1880822] [NEW] CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in DoS P J P
2020-05-27 7:15 ` [Bug 1880822] " P J P
2020-05-27 7:18 ` P J P
2020-05-27 7:28 ` Philippe Mathieu-Daudé
2020-06-04 15:02 ` Philippe Mathieu-Daudé
2020-06-05 11:12 ` Philippe Mathieu-Daudé
2020-07-16 15:53 ` Philippe Mathieu-Daudé
2020-08-20 14:41 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200604173410.21074-1-f4bug@amsat.org \
--to=f4bug@amsat.org \
--cc=1880822@bugs.launchpad.net \
--cc=alxndr@bu.edu \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.