03ac057064
Fix CVE-2020-17380 While doing multi block SDMA, transfer block size may exceed the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the current element pointer 's->data_count' pointing out of bounds. Leading the subsequent DMA r/w operation to OOB access issue. Assert that 's->data_count' is within fifo_buffer. -> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 ==1459837==ERROR: AddressSanitizer: heap-buffer-overflow WRITE of size 54722048 at 0x61500001e280 thread T3 #0 __interceptor_memcpy (/lib64/libasan.so.6+0x3a71d) #1 flatview_read_continue ../exec.c:3245 #2 flatview_read ../exec.c:3278 #3 address_space_read_full ../exec.c:3291 #4 address_space_rw ../exec.c:3319 #5 dma_memory_rw_relaxed ../include/sysemu/dma.h:87 #6 dma_memory_rw ../include/sysemu/dma.h:110 #7 dma_memory_read ../include/sysemu/dma.h:116 #8 sdhci_sdma_transfer_multi_blocks ../hw/sd/sdhci.c:629 #9 sdhci_write ../hw/sd/sdhci.c:1097 #10 memory_region_write_accessor ../softmmu/memory.c:483 ... Reported-by: Ruhr-University <bugs-syssec@rub.de> Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> patch link: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html Signed-off-by: Jiajie Li <lijiajie11@hw.com>
66 lines
2.6 KiB
Diff
66 lines
2.6 KiB
Diff
From e8d2655821caa2b8efce429c0036a93342b8383d Mon Sep 17 00:00:00 2001
|
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Mon, 8 Feb 2021 17:14:21 +0800
|
|
Subject: [PATCH] sd: sdhci: assert data_count is within fifo_buffer
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Fix CVE-2020-17380
|
|
|
|
While doing multi block SDMA, transfer block size may exceed
|
|
the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the
|
|
current element pointer 's->data_count' pointing out of bounds.
|
|
Leading the subsequent DMA r/w operation to OOB access issue.
|
|
Assert that 's->data_count' is within fifo_buffer.
|
|
|
|
-> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
|
|
==1459837==ERROR: AddressSanitizer: heap-buffer-overflow
|
|
WRITE of size 54722048 at 0x61500001e280 thread T3
|
|
#0 __interceptor_memcpy (/lib64/libasan.so.6+0x3a71d)
|
|
#1 flatview_read_continue ../exec.c:3245
|
|
#2 flatview_read ../exec.c:3278
|
|
#3 address_space_read_full ../exec.c:3291
|
|
#4 address_space_rw ../exec.c:3319
|
|
#5 dma_memory_rw_relaxed ../include/sysemu/dma.h:87
|
|
#6 dma_memory_rw ../include/sysemu/dma.h:110
|
|
#7 dma_memory_read ../include/sysemu/dma.h:116
|
|
#8 sdhci_sdma_transfer_multi_blocks ../hw/sd/sdhci.c:629
|
|
#9 sdhci_write ../hw/sd/sdhci.c:1097
|
|
#10 memory_region_write_accessor ../softmmu/memory.c:483
|
|
...
|
|
|
|
Reported-by: Ruhr-University <bugs-syssec@rub.de>
|
|
Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
|
|
patch link: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html
|
|
Signed-off-by: Jiajie Li <lijiajie11@hw.com>
|
|
---
|
|
hw/sd/sdhci.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
|
|
index 7b80b1d93f..e51573fe3c 100644
|
|
--- a/hw/sd/sdhci.c
|
|
+++ b/hw/sd/sdhci.c
|
|
@@ -613,6 +613,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
|
s->blkcnt--;
|
|
}
|
|
}
|
|
+ assert(s->data_count <= s->buf_maxsz && s->data_count > begin);
|
|
dma_memory_write(s->dma_as, s->sdmasysad,
|
|
&s->fifo_buffer[begin], s->data_count - begin);
|
|
s->sdmasysad += s->data_count - begin;
|
|
@@ -635,6 +636,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
|
s->data_count = block_size;
|
|
boundary_count -= block_size - begin;
|
|
}
|
|
+ assert(s->data_count <= s->buf_maxsz && s->data_count > begin);
|
|
dma_memory_read(s->dma_as, s->sdmasysad,
|
|
&s->fifo_buffer[begin], s->data_count - begin);
|
|
s->sdmasysad += s->data_count - begin;
|
|
--
|
|
2.27.0
|
|
|