From nobody Tue Feb 10 01:30:32 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=amsat.org ARC-Seal: i=1; a=rsa-sha256; t=1594665448; cv=none; d=zohomail.com; s=zohoarc; b=aQgyk4jnNZzhCxYR9wK/IcBZXQb2hUHKMhE6WiQKXa00yoKuMbKe099az8DVga8L3Gp4RHDUmo3krmzhGfkWcCFHLZ3UsfZDYU4KzrOtVBfs+6EbnGPX0w51uqz2n66w1Qep+E1mm2YtcWF2B+lYCBL7iGtyKw9OaKkJPDMAyVs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1594665448; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=qazA0VGXkxiPG2O5k0zj3oJOG8OveMdhu7VGjKLmSlU=; b=LuftiZe6cbKVtKZ8Y8UgyM+JwPMHhtVIZHQI75Z3xYnZD/Na3fNcDuV2f/oZw8r8LpgVNrDa007RoH5eJr3wxDlt5VV271wd4PEfU2XzDuTfw0o4UTte4Dsq9IMzYkX3xM71hGeYDFwk+UHDhCNs1EPXsT9Mx+npRL/rTgUFZ/k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1594665448605736.2023752121511; Mon, 13 Jul 2020 11:37:28 -0700 (PDT) Received: from localhost ([::1]:36580 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jv3KR-0002pc-E5 for importer@patchew.org; Mon, 13 Jul 2020 14:37:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40418) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jv3Fc-0002O1-Lb; Mon, 13 Jul 2020 14:32:28 -0400 Received: from mail-ej1-x643.google.com ([2a00:1450:4864:20::643]:38641) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jv3Fa-0004LC-UV; Mon, 13 Jul 2020 14:32:28 -0400 Received: by mail-ej1-x643.google.com with SMTP id br7so4611463ejb.5; Mon, 13 Jul 2020 11:32:26 -0700 (PDT) Received: from x1w.redhat.com (138.red-83-57-170.dynamicip.rima-tde.net. [83.57.170.138]) by smtp.gmail.com with ESMTPSA id ce12sm4353148edb.4.2020.07.13.11.32.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jul 2020 11:32:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=qazA0VGXkxiPG2O5k0zj3oJOG8OveMdhu7VGjKLmSlU=; b=h6Nyb/ugU5YAfZlJvJLDLyPSZeJipUn7NVdjSe9cwbY6qE4Z7QcAr9AEStzYyAPbDf EvyGzgEkyzyGO/ZpD0/YTbRNzNK1aKzYVR3U4kpM1kLOVGUYWjPWlnGkj5J1kOTPgZ0i q2Js3UIgGqlbOstLWjRw5+5a6q5u/K50FVx2DgBN824y/IRS01sbxiPRGSirBXeiZhVj EJv0mfeDuehSd8z7CB340zMGr8RXKqmzIgJhejfJRBMz8a+0MM+R642bvtXuqGNXZ5wK BzN3LO91P5v3DjKB8D8T1xIepTOGGANuNDCRvhx5VlRwiBz050n9Hj1eYKwVrcQpQJ38 4k8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=qazA0VGXkxiPG2O5k0zj3oJOG8OveMdhu7VGjKLmSlU=; b=aMiWkB6ZDanbaGQDrSJlpoZUHlh+XtridF+btB6Bp9fKsqUpKOFxi+YLRvZCqiIJJ/ 9pknlAS0QZdj3HvWkHRMmS1Dk4VGmVIgHXUXCoMccpsY31Z8CalHueJiABdWEPTYfvwc ZcOZ0z6UBExGWf6hH2QtnYmOfO8TV9gemiNymOM+D+vtpR6j8sssEGGnARnhquoz33Di IerVUiwilZvh5G3fHQiCo14c5AXfmXFi+gFu53aSgTkmOvMWusx05qeyzOvksXUVT2CZ vuvMzvWUoXSyfDtBg5OYXHsMdv99rwv4i+WbNErX85zzjDtdzPjJ8Fw3saM4nh+15WSM CzUA== X-Gm-Message-State: AOAM531P3U0uIDaZVlfEBxLVbcKDGzza7xTjc4c3PbMWTpXRSDAQtKm/ eGkPK+q/Qjg2khUW+vr+gf4EVQslgKY= X-Google-Smtp-Source: ABdhPJyx1QwwCG/gRXM+pknynv9HTuIyCTNS3t78xO9a7sWgHTXzhFwoUqsRoLpzGvY6u/wBHRbZOA== X-Received: by 2002:a17:906:2654:: with SMTP id i20mr1087142ejc.80.1594665144798; Mon, 13 Jul 2020 11:32:24 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v2 9/9] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid Date: Mon, 13 Jul 2020 20:32:09 +0200 Message-Id: <20200713183209.26308-10-f4bug@amsat.org> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20200713183209.26308-1-f4bug@amsat.org> References: <20200713183209.26308-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::643; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-ej1-x643.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: 0 X-Spam_score: 0.0 X-Spam_bar: / X-Spam_report: (0.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=1, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Prasad J Pandit , qemu-block@nongnu.org, Alistair Francis , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Wainer dos Santos Moschetta , Alexander Bulekov , Niek Linnenbank , Alistair Francis , Cleber Rosa , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Only move the state machine to ReceivingData if there is no pending error. This avoids later OOB access while processing commands queued. "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" 4.3.3 Data Read Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. 4.3.4 Data Write Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. WP_VIOLATION errors are not modified: the error bit is set, we stay in receive-data state, wait for a stop command. All further data transfer is ignored. See the check on sd->card_status at the beginning of sd_read_data() and sd_write_data(). Fixes: CVE-2020-13253 Cc: Prasad J Pandit Reported-by: Alexander Bulekov Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 Reviewed-by: Peter Maydell Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Alistair Francis Message-Id: <20200630133912.9428-6-f4bug@amsat.org> --- hw/sd/sd.c | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 0f048358ab..29de05f576 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1171,13 +1171,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd,= SDRequest req) case 17: /* CMD17: READ_SINGLE_BLOCK */ switch (sd->state) { case sd_transfer_state: + + if (addr + sd->blk_len > sd->size) { + sd->card_status |=3D ADDRESS_ERROR; + return sd_r1; + } + sd->state =3D sd_sendingdata_state; sd->data_start =3D addr; sd->data_offset =3D 0; - - if (sd->data_start + sd->blk_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; - } return sd_r1; =20 default: @@ -1188,13 +1190,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd,= SDRequest req) case 18: /* CMD18: READ_MULTIPLE_BLOCK */ switch (sd->state) { case sd_transfer_state: + + if (addr + sd->blk_len > sd->size) { + sd->card_status |=3D ADDRESS_ERROR; + return sd_r1; + } + sd->state =3D sd_sendingdata_state; sd->data_start =3D addr; sd->data_offset =3D 0; - - if (sd->data_start + sd->blk_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; - } return sd_r1; =20 default: @@ -1234,14 +1238,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd,= SDRequest req) /* Writing in SPI mode not implemented. */ if (sd->spi) break; + + if (addr + sd->blk_len > sd->size) { + sd->card_status |=3D ADDRESS_ERROR; + return sd_r1; + } + sd->state =3D sd_receivingdata_state; sd->data_start =3D addr; sd->data_offset =3D 0; sd->blk_written =3D 0; =20 - if (sd->data_start + sd->blk_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; - } if (sd_wp_addr(sd, sd->data_start)) { sd->card_status |=3D WP_VIOLATION; } @@ -1261,14 +1268,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd,= SDRequest req) /* Writing in SPI mode not implemented. */ if (sd->spi) break; + + if (addr + sd->blk_len > sd->size) { + sd->card_status |=3D ADDRESS_ERROR; + return sd_r1; + } + sd->state =3D sd_receivingdata_state; sd->data_start =3D addr; sd->data_offset =3D 0; sd->blk_written =3D 0; =20 - if (sd->data_start + sd->blk_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; - } if (sd_wp_addr(sd, sd->data_start)) { sd->card_status |=3D WP_VIOLATION; } --=20 2.21.3