[PULL 0/9] sdcard: Fix CVE-2020-13253 - Philippe Mathieu-Daudé

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: "Alexander Bulekov" <alxndr@bu.edu>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	qemu-block@nongnu.org, "Prasad J Pandit" <ppandit@redhat.com>
Subject: [PULL 0/9] sdcard: Fix CVE-2020-13253
Date: Tue, 14 Jul 2020 15:58:05 +0200	[thread overview]
Message-ID: <20200714135814.19910-1-f4bug@amsat.org> (raw)

The following changes since commit 20c1df5476e1e9b5d3f5b94f9f3ce01d21f14c46:

  Merge remote-tracking branch 'remotes/kraxel/tags/fixes-20200713-pull-reque=
st' into staging (2020-07-13 16:58:44 +0100)

are available in the Git repository at:

  https://gitlab.com/philmd/qemu.git tags/sdcard-CVE-2020-13253-pull-request

for you to fetch changes up to 790762e5487114341cccc5bffcec4cb3c022c3cd:

  hw/sd/sdcard: Do not switch to ReceivingData if address is invalid (2020-07=
-14 15:46:14 +0200)

----------------------------------------------------------------
Fix CVE-2020-13253

By using invalidated address, guest can do out-of-bounds accesses.
These patches fix the issue by only allowing SD card image sizes
power of 2, and not switching to SEND_DATA state when the address
is invalid (out of range).

This issue was found using QEMU fuzzing mode (using --enable-fuzzing,
see docs/devel/fuzzing.txt) and reported by Alexander Bulekov.

Reproducer:
  https://bugs.launchpad.net/qemu/+bug/1880822/comments/1

CI jobs results:
. https://cirrus-ci.com/build/5157142548185088
. https://gitlab.com/philmd/qemu/-/pipelines/166381731
. https://travis-ci.org/github/philmd/qemu/builds/707956535
----------------------------------------------------------------

Niek Linnenbank (1):
  docs/orangepi: Add instructions for resizing SD image to power of two

Philippe Mathieu-Daud=C3=A9 (8):
  MAINTAINERS: Cc qemu-block mailing list
  tests/acceptance/boot_linux: Tag tests using a SD card with
    'device:sd'
  tests/acceptance/boot_linux: Expand SD card image to power of 2
  hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
  hw/sd/sdcard: Simplify realize() a bit
  hw/sd/sdcard: Do not allow invalid SD card sizes
  hw/sd/sdcard: Update coding style to make checkpatch.pl happy
  hw/sd/sdcard: Do not switch to ReceivingData if address is invalid

 docs/system/arm/orangepi.rst           | 16 ++++-
 hw/sd/sd.c                             | 86 ++++++++++++++++++++------
 MAINTAINERS                            |  1 +
 tests/acceptance/boot_linux_console.py | 34 +++++++---
 4 files changed, 106 insertions(+), 31 deletions(-)

--=20
2.21.3

next             reply	other threads:[~2020-07-14 13:59 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-14 13:58 Philippe Mathieu-Daudé [this message]
2020-07-14 13:58 ` [PULL 1/9] MAINTAINERS: Cc qemu-block mailing list Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 2/9] docs/orangepi: Add instructions for resizing SD image to power of two Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 3/9] tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd' Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 4/9] tests/acceptance/boot_linux: Expand SD card image to power of 2 Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 5/9] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 6/9] hw/sd/sdcard: Simplify realize() a bit Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 7/9] hw/sd/sdcard: Do not allow invalid SD card sizes Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 8/9] hw/sd/sdcard: Update coding style to make checkpatch.pl happy Philippe Mathieu-Daudé
2020-07-14 13:58 ` [PULL 9/9] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid Philippe Mathieu-Daudé
2020-07-15 11:20 ` [PULL 0/9] sdcard: Fix CVE-2020-13253 Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200714135814.19910-1-f4bug@amsat.org \
    --to=f4bug@amsat.org \
    --cc=alxndr@bu.edu \
    --cc=ppandit@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).