From: Peter Maydell <peter.maydell@linaro.org>
To: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
Cc: Alexander Bulekov <alxndr@bu.edu>,
QEMU Developers <qemu-devel@nongnu.org>,
Qemu-block <qemu-block@nongnu.org>,
Prasad J Pandit <ppandit@redhat.com>
Subject: Re: [PULL 0/9] sdcard: Fix CVE-2020-13253
Date: Wed, 15 Jul 2020 12:20:39 +0100 [thread overview]
Message-ID: <CAFEAcA8zr7_a8OvOptB0sUS9kKVUM3k__qDy2Z+Q9j=gBXEfNQ@mail.gmail.com> (raw)
In-Reply-To: <20200714135814.19910-1-f4bug@amsat.org>
On Tue, 14 Jul 2020 at 15:00, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> The following changes since commit 20c1df5476e1e9b5d3f5b94f9f3ce01d21f14c46:
>
> Merge remote-tracking branch 'remotes/kraxel/tags/fixes-20200713-pull-reque=
> st' into staging (2020-07-13 16:58:44 +0100)
>
> are available in the Git repository at:
>
> https://gitlab.com/philmd/qemu.git tags/sdcard-CVE-2020-13253-pull-request
>
> for you to fetch changes up to 790762e5487114341cccc5bffcec4cb3c022c3cd:
>
> hw/sd/sdcard: Do not switch to ReceivingData if address is invalid (2020-07=
> -14 15:46:14 +0200)
>
> ----------------------------------------------------------------
> Fix CVE-2020-13253
>
> By using invalidated address, guest can do out-of-bounds accesses.
> These patches fix the issue by only allowing SD card image sizes
> power of 2, and not switching to SEND_DATA state when the address
> is invalid (out of range).
>
> This issue was found using QEMU fuzzing mode (using --enable-fuzzing,
> see docs/devel/fuzzing.txt) and reported by Alexander Bulekov.
>
> Reproducer:
> https://bugs.launchpad.net/qemu/+bug/1880822/comments/1
>
> CI jobs results:
> . https://cirrus-ci.com/build/5157142548185088
> . https://gitlab.com/philmd/qemu/-/pipelines/166381731
> . https://travis-ci.org/github/philmd/qemu/builds/707956535
> ----------------------------------------------------------------
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1
for any user-visible changes.
-- PMM
prev parent reply other threads:[~2020-07-15 11:21 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 13:58 [PULL 0/9] sdcard: Fix CVE-2020-13253 Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 1/9] MAINTAINERS: Cc qemu-block mailing list Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 2/9] docs/orangepi: Add instructions for resizing SD image to power of two Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 3/9] tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd' Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 4/9] tests/acceptance/boot_linux: Expand SD card image to power of 2 Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 5/9] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 6/9] hw/sd/sdcard: Simplify realize() a bit Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 7/9] hw/sd/sdcard: Do not allow invalid SD card sizes Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 8/9] hw/sd/sdcard: Update coding style to make checkpatch.pl happy Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 9/9] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid Philippe Mathieu-Daudé
2020-07-15 11:20 ` Peter Maydell [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFEAcA8zr7_a8OvOptB0sUS9kKVUM3k__qDy2Z+Q9j=gBXEfNQ@mail.gmail.com' \
--to=peter.maydell@linaro.org \
--cc=alxndr@bu.edu \
--cc=f4bug@amsat.org \
--cc=ppandit@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).