From: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
qemu-block@nongnu.org, 1880822@bugs.launchpad.net,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Alexander Bulekov" <alxndr@bu.edu>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: [PATCH v2] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid
Date: Thu, 4 Jun 2020 20:25:02 +0200 [thread overview]
Message-ID: <20200604182502.24228-1-f4bug@amsat.org> (raw)
Avoid OOB access by verifying the requested address belong to
the actual card size. Return ADDRESS_ERROR when not in range.
Only move the state machine to ReceivingData if there is no
pending error.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.4 Data Write
* Block Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Fixes: CVE-2020-13253
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: Prasad J Pandit <pjp@fedoraproject.org>
v2: check for blksz in range, only go to sd_receivingdata_state
if no error.
---
hw/sd/sd.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 3c06a0ac6d..2254dc7acc 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1211,17 +1211,18 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
- sd->state = sd_receivingdata_state;
- sd->data_start = addr;
- sd->data_offset = 0;
- sd->blk_written = 0;
-
- if (sd->data_start + sd->blk_len > sd->size)
+ if (addr + sd->blk_len >= sd->size) {
sd->card_status |= ADDRESS_ERROR;
- if (sd_wp_addr(sd, sd->data_start))
+ } else if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
- if (sd->csd[14] & 0x30)
+ } else if (sd->csd[14] & 0x30) {
sd->card_status |= WP_VIOLATION;
+ } else {
+ sd->state = sd_receivingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+ }
return sd_r1;
default:
--
2.21.3
WARNING: multiple messages have this Message-ID (diff)
From: "Philippe Mathieu-Daudé" <1880822@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1880822] [PATCH v2] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid
Date: Thu, 04 Jun 2020 18:25:02 -0000 [thread overview]
Message-ID: <20200604182502.24228-1-f4bug@amsat.org> (raw)
Message-ID: <20200604182502.2vK7pINZDSzQmywp6WHiBiVvn3lCAlJ1a94P-PMFmF0@z> (raw)
In-Reply-To: 159056340380.1780.3709038768569765525.malonedeb@chaenomeles.canonical.com
Avoid OOB access by verifying the requested address belong to
the actual card size. Return ADDRESS_ERROR when not in range.
Only move the state machine to ReceivingData if there is no
pending error.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.4 Data Write
* Block Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Fixes: CVE-2020-13253
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: Prasad J Pandit <pjp@fedoraproject.org>
v2: check for blksz in range, only go to sd_receivingdata_state
if no error.
---
hw/sd/sd.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 3c06a0ac6d..2254dc7acc 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1211,17 +1211,18 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
- sd->state = sd_receivingdata_state;
- sd->data_start = addr;
- sd->data_offset = 0;
- sd->blk_written = 0;
-
- if (sd->data_start + sd->blk_len > sd->size)
+ if (addr + sd->blk_len >= sd->size) {
sd->card_status |= ADDRESS_ERROR;
- if (sd_wp_addr(sd, sd->data_start))
+ } else if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
- if (sd->csd[14] & 0x30)
+ } else if (sd->csd[14] & 0x30) {
sd->card_status |= WP_VIOLATION;
+ } else {
+ sd->state = sd_receivingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+ }
return sd_r1;
default:
--
2.21.3
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880822
Title:
CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in
DoS
Status in QEMU:
Confirmed
Bug description:
An out-of-bounds read access issue was found in the SD Memory Card
emulator of the QEMU. It occurs while performing block write commands
via sdhci_write(), if a guest user has sent 'address' which is OOB of
's->wp_groups'. A guest user/process may use this flaw to crash the
QEMU process resulting in DoS.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880822/+subscriptions
next prev reply other threads:[~2020-06-04 18:26 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-27 7:10 [Bug 1880822] [NEW] CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in DoS P J P
2020-05-27 7:15 ` [Bug 1880822] " P J P
2020-05-27 7:18 ` P J P
2020-05-27 7:28 ` Philippe Mathieu-Daudé
2020-06-04 15:02 ` Philippe Mathieu-Daudé
2020-06-04 17:34 ` [PATCH] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid Philippe Mathieu-Daudé
2020-06-04 17:34 ` [Bug 1880822] " Philippe Mathieu-Daudé
2020-06-04 18:03 ` Paolo Bonzini
2020-06-04 18:20 ` Philippe Mathieu-Daudé
2020-06-04 18:20 ` [Bug 1880822] " Philippe Mathieu-Daudé
2020-06-04 18:25 ` Philippe Mathieu-Daudé [this message]
2020-06-04 18:25 ` [Bug 1880822] [PATCH v2] " Philippe Mathieu-Daudé
2020-06-05 8:34 ` Philippe Mathieu-Daudé
2020-06-05 8:34 ` [Bug 1880822] " Philippe Mathieu-Daudé
2020-06-05 11:12 ` [Bug 1880822] Re: CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in DoS Philippe Mathieu-Daudé
2020-07-16 15:53 ` Philippe Mathieu-Daudé
2020-08-20 14:41 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200604182502.24228-1-f4bug@amsat.org \
--to=f4bug@amsat.org \
--cc=1880822@bugs.launchpad.net \
--cc=alxndr@bu.edu \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).