Avoid OOB access by verifying the requested address belong to
the actual card size. Return ADDRESS_ERROR when not in range.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.4 Data Write
* Block Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Fixes: CVE-2020-13253
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/sd/sd.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 3c06a0ac6d..0ced3b5e14 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1211,6 +1211,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
+ if (addr >= sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+ }
sd->state = sd_receivingdata_state;
sd->data_start = addr;
sd->data_offset = 0;
--
2.21.3
On 04/06/20 19:34, Philippe Mathieu-Daudé wrote:
> Avoid OOB access by verifying the requested address belong to
> the actual card size. Return ADDRESS_ERROR when not in range.
>
> "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
>
> 4.3.4 Data Write
>
> * Block Write
>
> Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
> occurred and no data transfer is performed.
>
> Fixes: CVE-2020-13253
> Reported-by: Alexander Bulekov <alxndr@bu.edu>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> Cc: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/sd/sd.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 3c06a0ac6d..0ced3b5e14 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -1211,6 +1211,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
> /* Writing in SPI mode not implemented. */
> if (sd->spi)
> break;
> + if (addr >= sd->size) {
> + sd->card_status |= ADDRESS_ERROR;
> + return sd_r1;
> + }
> sd->state = sd_receivingdata_state;
> sd->data_start = addr;
> sd->data_offset = 0;
>
I'm not sure if you want me to queue it, but I did. Probably we should
add qemu-block@nongnu.org to the hw/sd stanza.
Paolo
On 6/4/20 8:03 PM, Paolo Bonzini wrote:
> On 04/06/20 19:34, Philippe Mathieu-Daudé wrote:
>> Avoid OOB access by verifying the requested address belong to
>> the actual card size. Return ADDRESS_ERROR when not in range.
>>
>> "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
>>
>> 4.3.4 Data Write
>>
>> * Block Write
>>
>> Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
>> occurred and no data transfer is performed.
>>
>> Fixes: CVE-2020-13253
>> Reported-by: Alexander Bulekov <alxndr@bu.edu>
>> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
>> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
>> ---
>> Cc: Prasad J Pandit <pjp@fedoraproject.org>
>> ---
>> hw/sd/sd.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
>> index 3c06a0ac6d..0ced3b5e14 100644
>> --- a/hw/sd/sd.c
>> +++ b/hw/sd/sd.c
>> @@ -1211,6 +1211,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
>> /* Writing in SPI mode not implemented. */
>> if (sd->spi)
>> break;
>> + if (addr >= sd->size) {
>> + sd->card_status |= ADDRESS_ERROR;
>> + return sd_r1;
>> + }
>> sd->state = sd_receivingdata_state;
>> sd->data_start = addr;
>> sd->data_offset = 0;
>>
>
> I'm not sure if you want me to queue it, but I did.
Hmm I guess I typed "^RPrasad" in my shell to have the last git-publish
command with his email, and I didn't noticed you were also there...
Anyway looking at it again, this patch is wrong because I should check
for addr + blksize < sd_size instead. Can you drop it please?
> Probably we should
> add qemu-block@nongnu.org to the hw/sd stanza.
OK will do.
>
> Paolo
>
© 2016 - 2026 Red Hat, Inc.