Bug 1862167 (CVE-2020-17380) - CVE-2020-17380 QEMU: heap buffer overflow in sdhci_sdma_transfer_multi_blocks() in hw/sd/sdhci.c
Summary: CVE-2020-17380 QEMU: heap buffer overflow in sdhci_sdma_transfer_multi_blocks...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-17380
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1835821
TreeView+ depends on / blocked
 
Reported: 2020-07-30 15:44 UTC by Mauro Matteo Cascella
Modified: 2021-02-12 14:30 UTC (History)
38 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-08-11 21:16:01 UTC
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-07-30 15:44:13 UTC 
A heap-based buffer overflow vulnerability was found in QEMU in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via sdhci_sdma_transfer_multi_blocks() routine. A guest user or process could use this flaw to crash the QEMU process on the host resulting in a denial-of-service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
Comment 1 Mauro Matteo Cascella 2020-07-30 15:44:16 UTC 
Acknowledgments:

Name: Alexander Bulekov
Comment 2 Mauro Matteo Cascella 2020-07-30 15:51:22 UTC 
Statement:

This flaw did not affect the following versions of QEMU as they did not include support for SDHCI device emulation:
* `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux 7.
* `qemu-kvm-rhev` as shipped with Red Hat Virtualization and Red Hat OpenStack.
* `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7, 8, and RHEL Advanced Virtualization.
Comment 8 Product Security DevOps Team 2020-08-11 21:16:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17380
Comment 9 Mauro Matteo Cascella 2020-09-17 08:48:10 UTC 
Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html
Comment 10 Salvatore Bonaccorso 2021-02-06 09:50:44 UTC 
Is this just a duplicate of CVE-2020-25085?
Comment 11 Mauro Matteo Cascella 2021-02-08 14:18:56 UTC 
In reply to comment #10:
> Is this just a duplicate of CVE-2020-25085?

Yeah, looks like they are very similar. Apparently, CVE-2020-25085 is caused by an issue in SDHC_BLKSIZE case [1], while this CVE deals with multi block SDMA (sdhci_sdma_transfer_multi_blocks). As far as I understand, what seems to be the patch for CVE-2020-25085 [2] does not fix this CVE. And the patch for this CVE (comment 9) has not been merged upstream. So in a sense it's reasonable to keep them separate. 

In any case, I'm also noticing that bug 1892960 [3] is still reproducible upstream, which is very strange. I will need to investigate further, as I may be wrong...

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-25085
[2] https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00303.html
[3] https://bugs.launchpad.net/qemu/+bug/1892960
Comment 12 Sylvain Beucler 2021-02-09 14:48:00 UTC 
Hi. FYI the confusion between the 2 CVEs led https://ubuntu.com/security/CVE-2020-17380 to be fixed using [2].
If there's a fix, it might make sense to request a new CVE so it makes it to the distros.
Comment 13 Mauro Matteo Cascella 2021-02-11 16:14:03 UTC 
FYI: https://lists.nongnu.org/archive/html/qemu-devel/2021-02/msg03102.html.

> If there's a fix, it might make sense to request a new CVE so it makes it to
> the distros.

Agreed, will request/assign a new CVE for this. Thank you.
Comment 14 Mauro Matteo Cascella 2021-02-12 14:30:59 UTC 
CVE-2021-3409 assigned. Please refer to BZ#1928146 for further updates, most notably upstream patch(es) when they get finalized.
Note You need to log in before you can comment on or make changes to this bug.