1928146 – (CVE-2021-3409) CVE-2021-3409 QEMU: sdhci: incomplete fix for CVE-2020-17380/CVE-2020-25085

Bug 1928146 (CVE-2021-3409) - CVE-2021-3409 QEMU: sdhci: incomplete fix for CVE-2020-17380/CVE-2020-25085

Summary: CVE-2021-3409 QEMU: sdhci: incomplete fix for CVE-2020-17380/CVE-2020-25085

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-3409
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1928171 1928170
Blocks:	1927818 1928150
TreeView+	depends on / blocked

Reported:	2021-02-12 13:37 UTC by Mauro Matteo Cascella
Modified:	2021-04-02 16:21 UTC (History)
CC List:	35 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	The patch for CVE-2020-17380 and CVE-2020-25085, both involving a heap buffer overflow in the SDHCI controller emulation code of QEMU, was found to be incomplete. A malicious privileged guest could reproduce the same issues with specially crafted input, inducing a bogus transfer and subsequent out-of-bounds read/write access in sdhci_do_adma() or sdhci_sdma_transfer_multi_blocks(). CVE-2021-3409 was assigned to facilitate the tracking and backporting of the new patch.
Clone Of:
Environment:
Last Closed:	2021-02-12 16:09:46 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2021-02-12 13:37:14 UTC

Upstream commit [1] was supposed to fix CVE-2020-17380 and CVE-2020-25085, both involving a heap buffer overflow in the SDHCI controller emulation of QEMU. In fact, it turned out it was still possible to reproduce the same issue with specially crafted input, inducing a bogus transfer and subsequent out-of-bounds read/write access in sdhci_do_adma() or sdhci_sdma_transfer_multi_blocks().

[1] https://git.qemu.org/?p=qemu.git;a=commit;h=dfba99f17feb6d4a129da19d38df1bcd8579d1c3

Comment 1 Mauro Matteo Cascella 2021-02-12 13:37:22 UTC

Statement:

This flaw does not affect the versions of `qemu-kvm` as shipped with Red Hat products, as they do not include support for SDHCI device emulation.

Comment 4 Mauro Matteo Cascella 2021-02-12 14:45:35 UTC

Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1928171]
Affects: fedora-all [bug 1928170]

Comment 5 Product Security DevOps Team 2021-02-12 16:09:46 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3409

Comment 6 Mauro Matteo Cascella 2021-03-09 08:53:31 UTC

Upstream patch series:
https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html

Comment 7 Mauro Matteo Cascella 2021-03-09 14:35:33 UTC

External References:

https://www.openwall.com/lists/oss-security/2021/03/09/1

Comment 8 Mauro Matteo Cascella 2021-03-23 13:55:15 UTC

Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=b263d8f928001b5cfa2a993ea43b7a5b3a1811e8
https://git.qemu.org/?p=qemu.git;a=commit;h=8be45cc947832b3c02144c9d52921f499f2d77fe
https://git.qemu.org/?p=qemu.git;a=commit;h=bc6f28995ff88f5d82c38afcfd65406f0ae375aa
https://git.qemu.org/?p=qemu.git;a=commit;h=5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd
https://git.qemu.org/?p=qemu.git;a=commit;h=cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9

Note You need to log in before you can comment on or make changes to this bug.

ailan
berrange
carnil
cfergeau
dbecker
drjones
imammedo
itamar
jen
jferlan
jforbes
jjoyce
jmaloy
jschluet
knoel
lhh
lkundrak
lpeer
m.a.young
mburns
mkenneth
mrezanin
mst
ondrejj
pbonzini
philmd
ribarry
rjones
robinlee.sysu
sclewis
slinaber
virt-maint
virt-maint
vkuznets
xen-maint