Avoid OOB access by verifying the requested address belong to
the actual card size. Return ADDRESS_ERROR when not in range.
Only move the state machine to ReceivingData if there is no
pending error.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.4 Data Write
* Block Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Fixes: CVE-2020-13253
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: Prasad J Pandit <pjp@fedoraproject.org>
v2: check for blksz in range, only go to sd_receivingdata_state
if no error.
---
hw/sd/sd.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 3c06a0ac6d..2254dc7acc 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1211,17 +1211,18 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
- sd->state = sd_receivingdata_state;
- sd->data_start = addr;
- sd->data_offset = 0;
- sd->blk_written = 0;
-
- if (sd->data_start + sd->blk_len > sd->size)
+ if (addr + sd->blk_len >= sd->size) {
sd->card_status |= ADDRESS_ERROR;
- if (sd_wp_addr(sd, sd->data_start))
+ } else if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
- if (sd->csd[14] & 0x30)
+ } else if (sd->csd[14] & 0x30) {
sd->card_status |= WP_VIOLATION;
+ } else {
+ sd->state = sd_receivingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+ }
return sd_r1;
default:
--
2.21.3
On 6/4/20 8:25 PM, Philippe Mathieu-Daudé wrote:
> Avoid OOB access by verifying the requested address belong to
> the actual card size. Return ADDRESS_ERROR when not in range.
> Only move the state machine to ReceivingData if there is no
> pending error.
>
> "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
>
> 4.3.4 Data Write
>
> * Block Write
>
> Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
> occurred and no data transfer is performed.
>
> Fixes: CVE-2020-13253
> Reported-by: Alexander Bulekov <alxndr@bu.edu>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
While the reproducer triggers the OOB via CMD24, other commands have the
same problem, so I'll post a v3.
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> Cc: Prasad J Pandit <pjp@fedoraproject.org>
>
> v2: check for blksz in range, only go to sd_receivingdata_state
> if no error.
> ---
> hw/sd/sd.c | 17 +++++++++--------
> 1 file changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 3c06a0ac6d..2254dc7acc 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -1211,17 +1211,18 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
> /* Writing in SPI mode not implemented. */
> if (sd->spi)
> break;
> - sd->state = sd_receivingdata_state;
> - sd->data_start = addr;
> - sd->data_offset = 0;
> - sd->blk_written = 0;
> -
> - if (sd->data_start + sd->blk_len > sd->size)
> + if (addr + sd->blk_len >= sd->size) {
> sd->card_status |= ADDRESS_ERROR;
> - if (sd_wp_addr(sd, sd->data_start))
> + } else if (sd_wp_addr(sd, sd->data_start)) {
> sd->card_status |= WP_VIOLATION;
> - if (sd->csd[14] & 0x30)
> + } else if (sd->csd[14] & 0x30) {
> sd->card_status |= WP_VIOLATION;
> + } else {
> + sd->state = sd_receivingdata_state;
> + sd->data_start = addr;
> + sd->data_offset = 0;
> + sd->blk_written = 0;
> + }
> return sd_r1;
>
> default:
>
© 2016 - 2024 Red Hat, Inc.