diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch new file mode 100644 index 0000000000..6b4c1ec050 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch | |||
@@ -0,0 +1,139 @@ | |||
1 | From 790762e5487114341cccc5bffcec4cb3c022c3cd Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Thu, 4 Jun 2020 19:22:29 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdcard: Do not switch to ReceivingData if address is | ||
5 | invalid | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Only move the state machine to ReceivingData if there is no | ||
11 | pending error. This avoids later OOB access while processing | ||
12 | commands queued. | ||
13 | |||
14 | "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" | ||
15 | |||
16 | 4.3.3 Data Read | ||
17 | |||
18 | Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
19 | occurred and no data transfer is performed. | ||
20 | |||
21 | 4.3.4 Data Write | ||
22 | |||
23 | Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
24 | occurred and no data transfer is performed. | ||
25 | |||
26 | WP_VIOLATION errors are not modified: the error bit is set, we | ||
27 | stay in receive-data state, wait for a stop command. All further | ||
28 | data transfer is ignored. See the check on sd->card_status at the | ||
29 | beginning of sd_read_data() and sd_write_data(). | ||
30 | |||
31 | Fixes: CVE-2020-13253 | ||
32 | |||
33 | Cc: qemu-stable@nongnu.org | ||
34 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
35 | Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 | ||
36 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
37 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
38 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
39 | Message-Id: <20200630133912.9428-6-f4bug@amsat.org> | ||
40 | |||
41 | Upstram-Status: Backport: | ||
42 | https://git.qemu.org/?p=qemu.git;a=commit;h=790762e5487114341cccc5bffcec4cb3c022c3cd | ||
43 | |||
44 | CVE: CVE-2020-13253 | ||
45 | |||
46 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
47 | --- | ||
48 | hw/sd/sd.c | 38 ++++++++++++++++++++++++-------------- | ||
49 | 1 file changed, 24 insertions(+), 14 deletions(-) | ||
50 | |||
51 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
52 | index f4f76f8fd2..fad9cf1ee7 100644 | ||
53 | --- a/hw/sd/sd.c | ||
54 | +++ b/hw/sd/sd.c | ||
55 | @@ -1171,13 +1171,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
56 | case 17: /* CMD17: READ_SINGLE_BLOCK */ | ||
57 | switch (sd->state) { | ||
58 | case sd_transfer_state: | ||
59 | - sd->state = sd_sendingdata_state; | ||
60 | - sd->data_start = addr; | ||
61 | - sd->data_offset = 0; | ||
62 | |||
63 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
64 | + if (addr + sd->blk_len > sd->size) { | ||
65 | sd->card_status |= ADDRESS_ERROR; | ||
66 | + return sd_r1; | ||
67 | } | ||
68 | + | ||
69 | + sd->state = sd_sendingdata_state; | ||
70 | + sd->data_start = addr; | ||
71 | + sd->data_offset = 0; | ||
72 | return sd_r1; | ||
73 | |||
74 | default: | ||
75 | @@ -1188,13 +1190,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
76 | case 18: /* CMD18: READ_MULTIPLE_BLOCK */ | ||
77 | switch (sd->state) { | ||
78 | case sd_transfer_state: | ||
79 | - sd->state = sd_sendingdata_state; | ||
80 | - sd->data_start = addr; | ||
81 | - sd->data_offset = 0; | ||
82 | |||
83 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
84 | + if (addr + sd->blk_len > sd->size) { | ||
85 | sd->card_status |= ADDRESS_ERROR; | ||
86 | + return sd_r1; | ||
87 | } | ||
88 | + | ||
89 | + sd->state = sd_sendingdata_state; | ||
90 | + sd->data_start = addr; | ||
91 | + sd->data_offset = 0; | ||
92 | return sd_r1; | ||
93 | |||
94 | default: | ||
95 | @@ -1234,14 +1238,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
96 | /* Writing in SPI mode not implemented. */ | ||
97 | if (sd->spi) | ||
98 | break; | ||
99 | + | ||
100 | + if (addr + sd->blk_len > sd->size) { | ||
101 | + sd->card_status |= ADDRESS_ERROR; | ||
102 | + return sd_r1; | ||
103 | + } | ||
104 | + | ||
105 | sd->state = sd_receivingdata_state; | ||
106 | sd->data_start = addr; | ||
107 | sd->data_offset = 0; | ||
108 | sd->blk_written = 0; | ||
109 | |||
110 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
111 | - sd->card_status |= ADDRESS_ERROR; | ||
112 | - } | ||
113 | if (sd_wp_addr(sd, sd->data_start)) { | ||
114 | sd->card_status |= WP_VIOLATION; | ||
115 | } | ||
116 | @@ -1261,14 +1268,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
117 | /* Writing in SPI mode not implemented. */ | ||
118 | if (sd->spi) | ||
119 | break; | ||
120 | + | ||
121 | + if (addr + sd->blk_len > sd->size) { | ||
122 | + sd->card_status |= ADDRESS_ERROR; | ||
123 | + return sd_r1; | ||
124 | + } | ||
125 | + | ||
126 | sd->state = sd_receivingdata_state; | ||
127 | sd->data_start = addr; | ||
128 | sd->data_offset = 0; | ||
129 | sd->blk_written = 0; | ||
130 | |||
131 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
132 | - sd->card_status |= ADDRESS_ERROR; | ||
133 | - } | ||
134 | if (sd_wp_addr(sd, sd->data_start)) { | ||
135 | sd->card_status |= WP_VIOLATION; | ||
136 | } | ||
137 | -- | ||
138 | 2.32.0 | ||
139 | |||