Bug 1862167 (CVE-2020-17380) - CVE-2020-17380 QEMU: heap buffer overflow in sdhci_sdma_transfer_multi_blocks() in hw/sd/sdhci.c
Summary: CVE-2020-17380 QEMU: heap buffer overflow in sdhci_sdma_transfer_multi_blocks...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-17380
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1835821
TreeView+ depends on / blocked
 
Reported: 2020-07-30 15:44 UTC by Mauro Matteo Cascella
Modified: 2021-02-12 14:30 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in QEMU. A heap-based buffer overflow vulnerability was found in the SDHCI device emulation support allowing a guest user or process to crash the QEMU process on the host resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-08-11 21:16:01 UTC


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-07-30 15:44:13 UTC
A heap-based buffer overflow vulnerability was found in QEMU in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via sdhci_sdma_transfer_multi_blocks() routine. A guest user or process could use this flaw to crash the QEMU process on the host resulting in a denial-of-service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.

Comment 1 Mauro Matteo Cascella 2020-07-30 15:44:16 UTC
Acknowledgments:

Name: Alexander Bulekov

Comment 2 Mauro Matteo Cascella 2020-07-30 15:51:22 UTC
Statement:

This flaw did not affect the following versions of QEMU as they did not include support for SDHCI device emulation:
* `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux 7.
* `qemu-kvm-rhev` as shipped with Red Hat Virtualization and Red Hat OpenStack.
* `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7, 8, and RHEL Advanced Virtualization.

Comment 8 Product Security DevOps Team 2020-08-11 21:16:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17380

Comment 9 Mauro Matteo Cascella 2020-09-17 08:48:10 UTC
Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html

Comment 10 Salvatore Bonaccorso 2021-02-06 09:50:44 UTC
Is this just a duplicate of CVE-2020-25085?

Comment 11 Mauro Matteo Cascella 2021-02-08 14:18:56 UTC
In reply to comment #10:
> Is this just a duplicate of CVE-2020-25085?

Yeah, looks like they are very similar. Apparently, CVE-2020-25085 is caused by an issue in SDHC_BLKSIZE case [1], while this CVE deals with multi block SDMA (sdhci_sdma_transfer_multi_blocks). As far as I understand, what seems to be the patch for CVE-2020-25085 [2] does not fix this CVE. And the patch for this CVE (comment 9) has not been merged upstream. So in a sense it's reasonable to keep them separate. 

In any case, I'm also noticing that bug 1892960 [3] is still reproducible upstream, which is very strange. I will need to investigate further, as I may be wrong...

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-25085
[2] https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00303.html
[3] https://bugs.launchpad.net/qemu/+bug/1892960

Comment 12 Sylvain Beucler 2021-02-09 14:48:00 UTC
Hi. FYI the confusion between the 2 CVEs led https://ubuntu.com/security/CVE-2020-17380 to be fixed using [2].
If there's a fix, it might make sense to request a new CVE so it makes it to the distros.

Comment 13 Mauro Matteo Cascella 2021-02-11 16:14:03 UTC
FYI: https://lists.nongnu.org/archive/html/qemu-devel/2021-02/msg03102.html.

> If there's a fix, it might make sense to request a new CVE so it makes it to
> the distros.

Agreed, will request/assign a new CVE for this. Thank you.

Comment 14 Mauro Matteo Cascella 2021-02-12 14:30:59 UTC
CVE-2021-3409 assigned. Please refer to BZ#1928146 for further updates, most notably upstream patch(es) when they get finalized.


Note You need to log in before you can comment on or make changes to this bug.