The following changes since commit 20c1df5476e1e9b5d3f5b94f9f3ce01d21f14c46:
Merge remote-tracking branch 'remotes/kraxel/tags/fixes-20200713-pull-reque= st' into staging (2020-07-13 16:58:44 +0100) are available in the Git repository at: https://gitlab.com/philmd/qemu.git tags/sdcard-CVE-2020-13253-pull-request for you to fetch changes up to 790762e5487114341cccc5bffcec4cb3c022c3cd: hw/sd/sdcard: Do not switch to ReceivingData if address is invalid (2020-07= -14 15:46:14 +0200) ---------------------------------------------------------------- Fix CVE-2020-13253 By using invalidated address, guest can do out-of-bounds accesses. These patches fix the issue by only allowing SD card image sizes power of 2, and not switching to SEND_DATA state when the address is invalid (out of range). This issue was found using QEMU fuzzing mode (using --enable-fuzzing, see docs/devel/fuzzing.txt) and reported by Alexander Bulekov. Reproducer: https://bugs.launchpad.net/qemu/+bug/1880822/comments/1 CI jobs results: . https://cirrus-ci.com/build/5157142548185088 . https://gitlab.com/philmd/qemu/-/pipelines/166381731 . https://travis-ci.org/github/philmd/qemu/builds/707956535 ---------------------------------------------------------------- Niek Linnenbank (1): docs/orangepi: Add instructions for resizing SD image to power of two Philippe Mathieu-Daud=C3=A9 (8): MAINTAINERS: Cc qemu-block mailing list tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd' tests/acceptance/boot_linux: Expand SD card image to power of 2 hw/sd/sdcard: Restrict Class 6 commands to SCSD cards hw/sd/sdcard: Simplify realize() a bit hw/sd/sdcard: Do not allow invalid SD card sizes hw/sd/sdcard: Update coding style to make checkpatch.pl happy hw/sd/sdcard: Do not switch to ReceivingData if address is invalid docs/system/arm/orangepi.rst | 16 ++++- hw/sd/sd.c | 86 ++++++++++++++++++++------ MAINTAINERS | 1 + tests/acceptance/boot_linux_console.py | 34 +++++++--- 4 files changed, 106 insertions(+), 31 deletions(-) --=20 2.21.3
