On Tue, 14 Jul 2020 at 15:00, Philippe Mathieu-Daudé <f4...@amsat.org> wrote: > > The following changes since commit 20c1df5476e1e9b5d3f5b94f9f3ce01d21f14c46: > > Merge remote-tracking branch 'remotes/kraxel/tags/fixes-20200713-pull-reque= > st' into staging (2020-07-13 16:58:44 +0100) > > are available in the Git repository at: > > https://gitlab.com/philmd/qemu.git tags/sdcard-CVE-2020-13253-pull-request > > for you to fetch changes up to 790762e5487114341cccc5bffcec4cb3c022c3cd: > > hw/sd/sdcard: Do not switch to ReceivingData if address is invalid (2020-07= > -14 15:46:14 +0200) > > ---------------------------------------------------------------- > Fix CVE-2020-13253 > > By using invalidated address, guest can do out-of-bounds accesses. > These patches fix the issue by only allowing SD card image sizes > power of 2, and not switching to SEND_DATA state when the address > is invalid (out of range). > > This issue was found using QEMU fuzzing mode (using --enable-fuzzing, > see docs/devel/fuzzing.txt) and reported by Alexander Bulekov. > > Reproducer: > https://bugs.launchpad.net/qemu/+bug/1880822/comments/1 > > CI jobs results: > . https://cirrus-ci.com/build/5157142548185088 > . https://gitlab.com/philmd/qemu/-/pipelines/166381731 > . https://travis-ci.org/github/philmd/qemu/builds/707956535 > ----------------------------------------------------------------
Applied, thanks. Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1 for any user-visible changes. -- PMM
