packages/qemu - qemu - OEPKGS Git Repository for openEuler 24.03 LTS SP1 Template

packages/qemu

Fork 0

Commit Graph

Author	SHA1	Message	Date
Huawei Technologies Co., Ltd	03ac057064	sd: sdhci: assert data_count is within fifo_buffer Fix CVE-2020-17380 While doing multi block SDMA, transfer block size may exceed the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the current element pointer 's->data_count' pointing out of bounds. Leading the subsequent DMA r/w operation to OOB access issue. Assert that 's->data_count' is within fifo_buffer. -> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 ==1459837==ERROR: AddressSanitizer: heap-buffer-overflow WRITE of size 54722048 at 0x61500001e280 thread T3 #0 __interceptor_memcpy (/lib64/libasan.so.6+0x3a71d) #1 flatview_read_continue ../exec.c:3245 #2 flatview_read ../exec.c:3278 #3 address_space_read_full ../exec.c:3291 #4 address_space_rw ../exec.c:3319 #5 dma_memory_rw_relaxed ../include/sysemu/dma.h:87 #6 dma_memory_rw ../include/sysemu/dma.h:110 #7 dma_memory_read ../include/sysemu/dma.h:116 #8 sdhci_sdma_transfer_multi_blocks ../hw/sd/sdhci.c:629 #9 sdhci_write ../hw/sd/sdhci.c:1097 #10 memory_region_write_accessor ../softmmu/memory.c:483 ... Reported-by: Ruhr-University <bugs-syssec@rub.de> Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> patch link: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html Signed-off-by: Jiajie Li <lijiajie11@hw.com>	2021-02-19 21:27:56 +08:00

Author

SHA1

Message

Date

Huawei Technologies Co., Ltd

03ac057064

sd: sdhci: assert data_count is within fifo_buffer

Fix CVE-2020-17380

While doing multi block SDMA, transfer block size may exceed
the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the
current element pointer 's->data_count' pointing out of bounds.
Leading the subsequent DMA r/w operation to OOB access issue.
Assert that 's->data_count' is within fifo_buffer.

 -> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
 ==1459837==ERROR: AddressSanitizer: heap-buffer-overflow
 WRITE of size 54722048 at 0x61500001e280 thread T3
 #0  __interceptor_memcpy (/lib64/libasan.so.6+0x3a71d)
 #1  flatview_read_continue ../exec.c:3245
 #2  flatview_read ../exec.c:3278
 #3  address_space_read_full ../exec.c:3291
 #4  address_space_rw ../exec.c:3319
 #5  dma_memory_rw_relaxed ../include/sysemu/dma.h:87
 #6  dma_memory_rw ../include/sysemu/dma.h:110
 #7  dma_memory_read ../include/sysemu/dma.h:116
 #8  sdhci_sdma_transfer_multi_blocks ../hw/sd/sdhci.c:629
 #9  sdhci_write ../hw/sd/sdhci.c:1097
 #10 memory_region_write_accessor ../softmmu/memory.c:483
 ...

Reported-by: Ruhr-University <bugs-syssec@rub.de>
Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

patch link: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html
Signed-off-by: Jiajie Li <lijiajie11@hw.com>

2021-02-19 21:27:56 +08:00

1 Commits