Re: [PATCH-for-8.1] hw/sd/sdcard: Allow users to bypass the power-of-2 size check

Mon, 17 Jul 2023 09:05:26 -0700 

On Mon, Jul 17, 2023 at 05:53:16PM +0200, Philippe Mathieu-Daudé wrote:
> Since we committed a9bcedd15a ("hw/sd/sdcard: Do not allow invalid
> SD card sizes") to preclude some guests to access beyond the size
> of the card (leading to security issues such CVE-2020-13253), various
> users complained this prevent them to run guests potencially well
> behaving with non-power-of-2 card sizes. In order to allow them to
> experiment with such guests, add a property to disable the pow2
> check.
> 
> Resolves: https://bugs.launchpad.net/qemu/+bug/1910586
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/297
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1754

IIUC from skimming those issues, it is more or less agreed
that having a power-of-2 check is not the right thing to
do in QEMU.

We've only kept it because no one has done the work to figure
out what the correct solution is so far and we didn't want to
leave the CVE open.

In theory we might oneday do the correct fix and remove this
bogus pow2 check. With that in mind...

> Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
> ---
>  hw/sd/sd.c | 31 ++++++++++++++++++++++++++++---
>  1 file changed, 28 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 77a717d355..feada6607a 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -108,6 +108,7 @@ struct SDState {
>      uint8_t spec_version;
>      BlockBackend *blk;
>      bool spi;
> +    bool bypass_pow2_size_check;
>  
>      /* Runtime changeables */
>  
> @@ -2126,6 +2127,9 @@ static void sd_instance_finalize(Object *obj)
>      timer_free(sd->ocr_power_timer);
>  }
>  
> +#define PROP_NAME_BYPASS_POW2_SIZE_CHECK \
> +    "allow-unsafe-unsupported-not-power-of-2-size"

...this property is at best a hack caused by our inability to
correctly fix the CVE so far.

This suggests it ought to have the 'x-' prefix to indicate
it isn't our desired long term solution and is liable to
change.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Reply via email to