Headline
CVE-2020-17380: [PATCH v1] sd: sdhci: assert data_count is within fifo_buffer
A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
P J P
Subject:
[PATCH v1] sd: sdhci: assert data_count is within fifo_buffer
Date:
Thu, 3 Sep 2020 12:38:42 +0530
From: Prasad J Pandit [email protected]
While doing multi block SDMA, transfer block size may exceed the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the current element pointer ‘s->data_count’ pointing out of bounds. Leading the subsequent DMA r/w operation to OOB access issue. Assert that ‘s->data_count’ is within fifo_buffer.
-> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 ==1459837==ERROR: AddressSanitizer: heap-buffer-overflow WRITE of size 54722048 at 0x61500001e280 thread T3 #0 __interceptor_memcpy (/lib64/libasan.so.6+0x3a71d) #1 flatview_read_continue …/exec.c:3245 #2 flatview_read …/exec.c:3278 #3 address_space_read_full …/exec.c:3291 #4 address_space_rw …/exec.c:3319 #5 dma_memory_rw_relaxed …/include/sysemu/dma.h:87 #6 dma_memory_rw …/include/sysemu/dma.h:110 #7 dma_memory_read …/include/sysemu/dma.h:116 #8 sdhci_sdma_transfer_multi_blocks …/hw/sd/sdhci.c:629 #9 sdhci_write …/hw/sd/sdhci.c:1097 #10 memory_region_write_accessor …/softmmu/memory.c:483 …
Reported-by: Ruhr-University [email protected] Suggested-by: Philippe Mathieu-Daudé [email protected] Signed-off-by: Prasad J Pandit [email protected]
hw/sd/sdhci.c | 2 ++ 1 file changed, 2 insertions(+)
Update v1: use assert(3) calls -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00966.html
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 1785d7e1f7…023acbed41 100644 — a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -604,6 +604,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) s->blkcnt–; } }
assert(s->data\_count <= s->buf\_maxsz && s->data\_count > begin); dma\_memory\_write(s->dma\_as, s->sdmasysad, &s->fifo\_buffer\[begin\], s->data\_count - begin); s->sdmasysad += s->data\_count - begin;
@@ -626,6 +627,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) s->data_count = block_size; boundary_count -= block_size - begin; }
assert(s->data\_count <= s->buf\_maxsz && s->data\_count > begin); dma\_memory\_read(s->dma\_as, s->sdmasysad, &s->fifo\_buffer\[begin\], s->data\_count - begin); s->sdmasysad += s->data\_count - begin;
– 2.26.2
[PATCH v1] sd: sdhci: assert data_count is within fifo_buffer, P J P <=
- Re: [PATCH v1] sd: sdhci: assert data_count is within fifo_buffer, Philippe Mathieu-Daudé, 2020/09/03
- Re: [PATCH v1] sd: sdhci: assert data_count is within fifo_buffer, Philippe Mathieu-Daudé, 2020/09/03
- Re: [PATCH v1] sd: sdhci: assert data_count is within fifo_buffer, P J P, 2020/09/03
- Re: [PATCH v1] sd: sdhci: assert data_count is within fifo_buffer, P J P, 2020/09/03
- Re: [PATCH v1] sd: sdhci: assert data_count is within fifo_buffer, Philippe Mathieu-Daudé, 2020/09/03
- Re: [PATCH v1] sd: sdhci: assert data_count is within fifo_buffer, Philippe Mathieu-Daudé, 2020/09/03
Prev by Date: Re: [PATCH] stubs: Move qemu_fd_register stub to util/main-loop.c
Next by Date: [PATCH v2 00/12] target/microblaze improvements
Previous by thread: [PATCH] stubs: Move qemu_fd_register stub to util/main-loop.c
Next by thread: Re: [PATCH v1] sd: sdhci: assert data_count is within fifo_buffer
Index(es):
- Date
- Thread