1879671 – (CVE-2020-25085) CVE-2020-25085 QEMU: sdhci: out-of-bounds access issue while doing multi block SDMA

Bug 1879671 (CVE-2020-25085) - CVE-2020-25085 QEMU: sdhci: out-of-bounds access issue while doing multi block SDMA

Summary: CVE-2020-25085 QEMU: sdhci: out-of-bounds access issue while doing multi bloc...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-25085
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1879673 1910678
Blocks:	1850259
TreeView+	depends on / blocked

Reported:	2020-09-16 18:49 UTC by Prasad Pandit
Modified:	2022-04-17 21:00 UTC (History)
CC List:	33 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:	A flaw was found in QEMU. An out-of-bounds read/write access issue was found in the SDHCI Controller emulator of QEMU. It may occur while doing multi block SDMA, if transfer block size exceeds the 's->fifo_buffer[s->buf_maxsz]' size which would leave the current element pointer 's->data_count' pointing out of bounds. This would lead the subsequent DMA r/w operation to an OOB access issue where a guest user/process may use this flaw to crash the QEMU process resulting in DoS scenario. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2020-09-16 20:41:05 UTC
Embargoed:

Attachments	(Terms of Use)

Description Prasad Pandit 2020-09-16 18:49:01 UTC

An out-of-bounds r/w access issue was found in the SDHCI Controller emulator of QEMU. It may occur while doing multi block SDMA, if transfer block size exceeds the 's->fifo_buffer[s->buf_maxsz]' size. It'd leave the current element pointer 's->data_count' pointing out of bounds. Leading the subsequent DMA r/w operation to OOB access issue. A guest user/process may use this flaw to crash the QEMU process resulting in DoS scenario.

Upstream patches:
-----------------
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00733.html
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01439.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/09/16/6

Comment 1 Prasad Pandit 2020-09-16 18:49:10 UTC

Acknowledgments:

Name: Sergej Schumilo (Ruhr-University Bochum), Cornelius Aschermann (Ruhr-University Bochum), Simon Wrner (Ruhr-University Bochum)

Comment 2 Prasad Pandit 2020-09-16 18:49:15 UTC

External References:

https://bugs.launchpad.net/qemu/+bug/1892960
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1

Comment 3 Prasad Pandit 2020-09-16 18:49:44 UTC

Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1879673]

Comment 4 Product Security DevOps Team 2020-09-16 20:41:05 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25085

Note You need to log in before you can comment on or make changes to this bug.

ailan
berrange
cfergeau
dbecker
drjones
imammedo
itamar
jen
jferlan
jforbes
jjoyce
jmaloy
jschluet
knoel
lhh
lpeer
m.a.young
mburns
mkenneth
mrezanin
mst
ondrejj
pbonzini
philmd
ribarry
rjones
robinlee.sysu
sclewis
slinaber
virt-maint
virt-maint
vkuznets
xen-maint