1299471 – qemu: Out-of-bounds read in sd

Bug 1299471 - qemu: Out-of-bounds read in sd

Summary: qemu: Out-of-bounds read in sd

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1299461
TreeView+	depends on / blocked

Reported:	2016-01-18 12:48 UTC by Adam Mariš
Modified:	2021-06-01 15:04 UTC (History)
CC List:	35 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-01-21 05:18:30 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Adam Mariš 2016-01-18 12:48:57 UTC

An out-of-bounds read was reported in sd.c allowing privileged user in guest to cause kernel DoS.

Vulnerable code:

//qemu/hw/sd/sd.c
static sd_rsp_type_t sd_normal_command(SDState *sd,
SDRequest req)
{
uint32_t rca = 0x0000;
uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 :
req.arg;

/* Not interpreting this as an app command */
sd->card_status &= ~APP_CMD;

//here!! sd_cmd_type is an array of 64 bytes,but req.cmd can be a value
from 0 to 0xff, so sd_cmd_type[req.cmd] could be make a out-of-bounds read
issue.
if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc)
rca = req.arg >> 16;

...
}

Note You need to log in before you can comment on or make changes to this bug.

abaron
alonbl
aortega
apevec
areis
ayoung
bmcclain
chrisw
dallan
dblechte
gklein
gkotton
jen
jschluet
knoel
lhh
lpeer
markmc
mgoldboi
michal.skrivanek
mkenneth
mrezanin
mst
osoukup
pbonzini
ppandit
rbalakri
rbryant
sclewis
security-response-team
sherold
tdecacqu
yeylon
ykaul
ylavi