[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 0/9] sdcard: Fix CVE-2020-13253
From: |
Philippe Mathieu-Daudé |
Subject: |
[PULL 0/9] sdcard: Fix CVE-2020-13253 |
Date: |
Tue, 14 Jul 2020 15:58:05 +0200 |
The following changes since commit 20c1df5476e1e9b5d3f5b94f9f3ce01d21f14c46:
Merge remote-tracking branch 'remotes/kraxel/tags/fixes-20200713-pull-reque=
st' into staging (2020-07-13 16:58:44 +0100)
are available in the Git repository at:
https://gitlab.com/philmd/qemu.git tags/sdcard-CVE-2020-13253-pull-request
for you to fetch changes up to 790762e5487114341cccc5bffcec4cb3c022c3cd:
hw/sd/sdcard: Do not switch to ReceivingData if address is invalid (2020-07=
-14 15:46:14 +0200)
----------------------------------------------------------------
Fix CVE-2020-13253
By using invalidated address, guest can do out-of-bounds accesses.
These patches fix the issue by only allowing SD card image sizes
power of 2, and not switching to SEND_DATA state when the address
is invalid (out of range).
This issue was found using QEMU fuzzing mode (using --enable-fuzzing,
see docs/devel/fuzzing.txt) and reported by Alexander Bulekov.
Reproducer:
https://bugs.launchpad.net/qemu/+bug/1880822/comments/1
CI jobs results:
. https://cirrus-ci.com/build/5157142548185088
. https://gitlab.com/philmd/qemu/-/pipelines/166381731
. https://travis-ci.org/github/philmd/qemu/builds/707956535
----------------------------------------------------------------
Niek Linnenbank (1):
docs/orangepi: Add instructions for resizing SD image to power of two
Philippe Mathieu-Daud=C3=A9 (8):
MAINTAINERS: Cc qemu-block mailing list
tests/acceptance/boot_linux: Tag tests using a SD card with
'device:sd'
tests/acceptance/boot_linux: Expand SD card image to power of 2
hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
hw/sd/sdcard: Simplify realize() a bit
hw/sd/sdcard: Do not allow invalid SD card sizes
hw/sd/sdcard: Update coding style to make checkpatch.pl happy
hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
docs/system/arm/orangepi.rst | 16 ++++-
hw/sd/sd.c | 86 ++++++++++++++++++++------
MAINTAINERS | 1 +
tests/acceptance/boot_linux_console.py | 34 +++++++---
4 files changed, 106 insertions(+), 31 deletions(-)
--=20
2.21.3
- [PULL 0/9] sdcard: Fix CVE-2020-13253,
Philippe Mathieu-Daudé <=
- [PULL 1/9] MAINTAINERS: Cc qemu-block mailing list, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 2/9] docs/orangepi: Add instructions for resizing SD image to power of two, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 3/9] tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd', Philippe Mathieu-Daudé, 2020/07/14
- [PULL 6/9] hw/sd/sdcard: Simplify realize() a bit, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 4/9] tests/acceptance/boot_linux: Expand SD card image to power of 2, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 5/9] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 7/9] hw/sd/sdcard: Do not allow invalid SD card sizes, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 9/9] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 8/9] hw/sd/sdcard: Update coding style to make checkpatch.pl happy, Philippe Mathieu-Daudé, 2020/07/14
- Re: [PULL 0/9] sdcard: Fix CVE-2020-13253, Peter Maydell, 2020/07/15