qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, C

From: Alexander Bulekov
Subject: Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409
Date: Mon, 15 Feb 2021 11:46:51 -0500 
Hi Bin,
Thank you for this. I ran through the OSS-Fuzz tests again, and it found
one thing:

Maybe this is already much better than the current state of the code, so
this one can be fixed in a later patch?

cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
-m 512M -nodefaults -device sdhci-pci,sd-spec-version=3 \
-device sd-card,drive=mydrive \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xe000002c 0x1 0x05
write 0xe0000005 0x1 0x02
write 0xe0000007 0x1 0x01
write 0xe0000028 0x1 0x10
write 0x0 0x1 0x23
write 0x2 0x1 0x08
write 0xe000000c 0x1 0x01
write 0xe000000e 0x1 0x20
write 0xe000000f 0x1 0x00
write 0xe000000c 0x1 0x32
write 0xe0000004 0x2 0x0200
write 0xe0000028 0x1 0x00
write 0xe0000003 0x1 0x40
EOF


==1730971==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x615000031880 at pc 0x55d070f2c6d9 bp 0x7ffdcb63f130 sp 0x7ffdcb63f128
READ of size 4 at 0x615000031880 thread T0
#0 0x55d070f2c6d8 in ldl_he_p bswap.h:347:5
#1 0x55d070f2c6d8 in ldn_he_p bswap.h:546:1
#2 0x55d070f2c6d8 in flatview_write_continue build/../softmmu/physmem.c:2775:19
#3 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
#4 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18
#5 0x55d07040de4a in dma_memory_rw_relaxed include/sysemu/dma.h:88:12
#6 0x55d07040de4a in dma_memory_rw include/sysemu/dma.h:127:12
#7 0x55d07040de4a in dma_memory_write include/sysemu/dma.h:163:12
#8 0x55d07040de4a in sdhci_sdma_transfer_multi_blocks 
build/../hw/sd/sdhci.c:619:13
#9 0x55d07041d15b in sdhci_write build/../hw/sd/sdhci.c:1134:21
#10 0x55d07123b1ac in memory_region_write_accessor 
build/../softmmu/memory.c:491:5
#11 0x55d07123acab in access_with_adjusted_size build/../softmmu/memory.c:552:18
#12 0x55d07123a4b0 in memory_region_dispatch_write build/../softmmu/memory.c
#13 0x55d070f2c29b in flatview_write_continue build/../softmmu/physmem.c:2776:23
#14 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
#15 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18


-Alex

On 210215 2311, Bin Meng wrote:
> From: Bin Meng <bin.meng@windriver.com>
> 
> This series includes several fixes to CVE-2020-17380, CVE-2020-25085
> and CVE-2021-3409 that are heap-based buffer overflow issues existing
> in the sdhci model.
> 
> These CVEs are pretty much similar, and were filed using different
> reproducers. With this series, current known reproducers I have
> cannot be reproduced any more.
> 
> The implementation of this model may still have some issues, i.e.:
> some codes do not strictly match the spec, but since this series
> only aimes to address CVEs, such issue should be fixed in a separate
> series in the future, if I have time :)
> 
> 
> Bin Meng (4):
>   hw/sd: sdhci: Don't transfer any data when command time out
>   hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in
>     progress
>   hw/sd: sdhci: Correctly set the controller status for ADMA
>   hw/sd: sdhci: Simplify updating s->prnsts in
>     sdhci_sdma_transfer_multi_blocks()
> 
>  hw/sd/sdhci.c | 34 ++++++++++++++++++++--------------
>  1 file changed, 20 insertions(+), 14 deletions(-)
> 
> -- 
> 2.7.4
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]