Re: [PULL 0/9] sdcard: Fix CVE-2020-13253

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PULL 0/9] sdcard: Fix CVE-2020-13253

From:	Peter Maydell
Subject:	Re: [PULL 0/9] sdcard: Fix CVE-2020-13253
Date:	Wed, 15 Jul 2020 12:20:39 +0100

On Tue, 14 Jul 2020 at 15:00, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> The following changes since commit 20c1df5476e1e9b5d3f5b94f9f3ce01d21f14c46:
>
>   Merge remote-tracking branch 'remotes/kraxel/tags/fixes-20200713-pull-reque=
> st' into staging (2020-07-13 16:58:44 +0100)
>
> are available in the Git repository at:
>
>   https://gitlab.com/philmd/qemu.git tags/sdcard-CVE-2020-13253-pull-request
>
> for you to fetch changes up to 790762e5487114341cccc5bffcec4cb3c022c3cd:
>
>   hw/sd/sdcard: Do not switch to ReceivingData if address is invalid (2020-07=
> -14 15:46:14 +0200)
>
> ----------------------------------------------------------------
> Fix CVE-2020-13253
>
> By using invalidated address, guest can do out-of-bounds accesses.
> These patches fix the issue by only allowing SD card image sizes
> power of 2, and not switching to SEND_DATA state when the address
> is invalid (out of range).
>
> This issue was found using QEMU fuzzing mode (using --enable-fuzzing,
> see docs/devel/fuzzing.txt) and reported by Alexander Bulekov.
>
> Reproducer:
>   https://bugs.launchpad.net/qemu/+bug/1880822/comments/1
>
> CI jobs results:
> . https://cirrus-ci.com/build/5157142548185088
> . https://gitlab.com/philmd/qemu/-/pipelines/166381731
> . https://travis-ci.org/github/philmd/qemu/builds/707956535
> ----------------------------------------------------------------



Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1
for any user-visible changes.

-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 0/9] sdcard: Fix CVE-2020-13253, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 1/9] MAINTAINERS: Cc qemu-block mailing list, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 2/9] docs/orangepi: Add instructions for resizing SD image to power of two, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 3/9] tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd', Philippe Mathieu-Daudé, 2020/07/14
- [PULL 6/9] hw/sd/sdcard: Simplify realize() a bit, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 4/9] tests/acceptance/boot_linux: Expand SD card image to power of 2, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 5/9] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 7/9] hw/sd/sdcard: Do not allow invalid SD card sizes, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 9/9] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid, Philippe Mathieu-Daudé, 2020/07/14
- [PULL 8/9] hw/sd/sdcard: Update coding style to make checkpatch.pl happy, Philippe Mathieu-Daudé, 2020/07/14
- Re: [PULL 0/9] sdcard: Fix CVE-2020-13253, Peter Maydell <=

Prev by Date: Re: [PULL v2 0/8] final misc fixes for 5.1-rc0
Next by Date: Re: [PATCH 05/13] qapi: introduce replay.json for record/replay-related stuff
Previous by thread: [PULL 8/9] hw/sd/sdcard: Update coding style to make checkpatch.pl happy
Next by thread: Re: [PULL 14/31] target/i386: reimplement f2xm1 using floatx80 operations
Index(es):
- Date
- Thread