Avoid OOB access by verifying the requested address belong to
the actual card size. Return ADDRESS_ERROR when not in range.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.4 Data Write
* Block Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Fixes: CVE-2020-13253
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/sd/sd.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 3c06a0ac6d..0ced3b5e14 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1211,6 +1211,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
+ if (addr >= sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+ }
sd->state = sd_receivingdata_state;
sd->data_start = addr;
sd->data_offset = 0;
--
2.21.3
On 04/06/20 19:34, Philippe Mathieu-Daudé wrote: > Avoid OOB access by verifying the requested address belong to > the actual card size. Return ADDRESS_ERROR when not in range. > > "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" > > 4.3.4 Data Write > > * Block Write > > Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR > occurred and no data transfer is performed. > > Fixes: CVE-2020-13253 > Reported-by: Alexander Bulekov <alxndr@bu.edu> > Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 > Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> > --- > Cc: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/sd/sd.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/hw/sd/sd.c b/hw/sd/sd.c > index 3c06a0ac6d..0ced3b5e14 100644 > --- a/hw/sd/sd.c > +++ b/hw/sd/sd.c > @@ -1211,6 +1211,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) > /* Writing in SPI mode not implemented. */ > if (sd->spi) > break; > + if (addr >= sd->size) { > + sd->card_status |= ADDRESS_ERROR; > + return sd_r1; > + } > sd->state = sd_receivingdata_state; > sd->data_start = addr; > sd->data_offset = 0; > I'm not sure if you want me to queue it, but I did. Probably we should add qemu-block@nongnu.org to the hw/sd stanza. Paolo
On 6/4/20 8:03 PM, Paolo Bonzini wrote: > On 04/06/20 19:34, Philippe Mathieu-Daudé wrote: >> Avoid OOB access by verifying the requested address belong to >> the actual card size. Return ADDRESS_ERROR when not in range. >> >> "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" >> >> 4.3.4 Data Write >> >> * Block Write >> >> Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR >> occurred and no data transfer is performed. >> >> Fixes: CVE-2020-13253 >> Reported-by: Alexander Bulekov <alxndr@bu.edu> >> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 >> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> >> --- >> Cc: Prasad J Pandit <pjp@fedoraproject.org> >> --- >> hw/sd/sd.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/hw/sd/sd.c b/hw/sd/sd.c >> index 3c06a0ac6d..0ced3b5e14 100644 >> --- a/hw/sd/sd.c >> +++ b/hw/sd/sd.c >> @@ -1211,6 +1211,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) >> /* Writing in SPI mode not implemented. */ >> if (sd->spi) >> break; >> + if (addr >= sd->size) { >> + sd->card_status |= ADDRESS_ERROR; >> + return sd_r1; >> + } >> sd->state = sd_receivingdata_state; >> sd->data_start = addr; >> sd->data_offset = 0; >> > > I'm not sure if you want me to queue it, but I did. Hmm I guess I typed "^RPrasad" in my shell to have the last git-publish command with his email, and I didn't noticed you were also there... Anyway looking at it again, this patch is wrong because I should check for addr + blksize < sd_size instead. Can you drop it please? > Probably we should > add qemu-block@nongnu.org to the hw/sd stanza. OK will do. > > Paolo >
© 2016 - 2024 Red Hat, Inc.