Avoid OOB access by verifying the requested address belong to
the actual card size. Return ADDRESS_ERROR when not in range.
Only move the state machine to ReceivingData if there is no
pending error.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.4 Data Write
* Block Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Fixes: CVE-2020-13253
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: Prasad J Pandit <pjp@fedoraproject.org>
v2: check for blksz in range, only go to sd_receivingdata_state
if no error.
---
hw/sd/sd.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 3c06a0ac6d..2254dc7acc 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1211,17 +1211,18 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
- sd->state = sd_receivingdata_state;
- sd->data_start = addr;
- sd->data_offset = 0;
- sd->blk_written = 0;
-
- if (sd->data_start + sd->blk_len > sd->size)
+ if (addr + sd->blk_len >= sd->size) {
sd->card_status |= ADDRESS_ERROR;
- if (sd_wp_addr(sd, sd->data_start))
+ } else if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
- if (sd->csd[14] & 0x30)
+ } else if (sd->csd[14] & 0x30) {
sd->card_status |= WP_VIOLATION;
+ } else {
+ sd->state = sd_receivingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+ }
return sd_r1;
default:
--
2.21.3
On 6/4/20 8:25 PM, Philippe Mathieu-Daudé wrote: > Avoid OOB access by verifying the requested address belong to > the actual card size. Return ADDRESS_ERROR when not in range. > Only move the state machine to ReceivingData if there is no > pending error. > > "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" > > 4.3.4 Data Write > > * Block Write > > Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR > occurred and no data transfer is performed. > > Fixes: CVE-2020-13253 > Reported-by: Alexander Bulekov <alxndr@bu.edu> > Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 While the reproducer triggers the OOB via CMD24, other commands have the same problem, so I'll post a v3. > Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> > --- > Cc: Prasad J Pandit <pjp@fedoraproject.org> > > v2: check for blksz in range, only go to sd_receivingdata_state > if no error. > --- > hw/sd/sd.c | 17 +++++++++-------- > 1 file changed, 9 insertions(+), 8 deletions(-) > > diff --git a/hw/sd/sd.c b/hw/sd/sd.c > index 3c06a0ac6d..2254dc7acc 100644 > --- a/hw/sd/sd.c > +++ b/hw/sd/sd.c > @@ -1211,17 +1211,18 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) > /* Writing in SPI mode not implemented. */ > if (sd->spi) > break; > - sd->state = sd_receivingdata_state; > - sd->data_start = addr; > - sd->data_offset = 0; > - sd->blk_written = 0; > - > - if (sd->data_start + sd->blk_len > sd->size) > + if (addr + sd->blk_len >= sd->size) { > sd->card_status |= ADDRESS_ERROR; > - if (sd_wp_addr(sd, sd->data_start)) > + } else if (sd_wp_addr(sd, sd->data_start)) { > sd->card_status |= WP_VIOLATION; > - if (sd->csd[14] & 0x30) > + } else if (sd->csd[14] & 0x30) { > sd->card_status |= WP_VIOLATION; > + } else { > + sd->state = sd_receivingdata_state; > + sd->data_start = addr; > + sd->data_offset = 0; > + sd->blk_written = 0; > + } > return sd_r1; > > default: >
© 2016 - 2024 Red Hat, Inc.