mirrors/qemu
0
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2024-11-28 22:33:36 +08:00
Code Issues Packages Projects Releases Wiki Activity
a2e5cb7a87
qemu/docs
History
Peter Maydell 3a9163af4e Fix CVE-2020-13253 
By using invalidated address, guest can do out-of-bounds accesses.
 These patches fix the issue by only allowing SD card image sizes
 power of 2, and not switching to SEND_DATA state when the address
 is invalid (out of range).
 
 This issue was found using QEMU fuzzing mode (using --enable-fuzzing,
 see docs/devel/fuzzing.txt) and reported by Alexander Bulekov.
 
 Reproducer:
   https://bugs.launchpad.net/qemu/+bug/1880822/comments/1
 
 CI jobs results:
 . https://cirrus-ci.com/build/5157142548185088
 . https://gitlab.com/philmd/qemu/-/pipelines/166381731
 . https://travis-ci.org/github/philmd/qemu/builds/707956535
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAl8NuSQACgkQ4+MsLN6t
 wN7MEg/+PER/n+CpmrC2lggQ3WJwNjvY09A4yfPfhKldjOi+25/amf/bQ2Zjmj7m
 HoiiPFu7vz+FugOfGv5YFlTS2+VNmN1UZqGqZRwY/YJJKg9am6TJ8zA4UBf4iegi
 OqNBJOPW/EYsAYdH3jUFmW15zAsRHEM6g2vZ1Z4WwVZqfYHsMB/y2khp9Fr+jGU0
 6wDeG0cdap5QVsamIll4/BoxgBa5UdtBYjzo7QBENs+abvOf56jjUqZx0+AL/Ua/
 IOpZ01mmPZJ4wJxPNT87gfEnHv0MRA7bSpJ7TAC80xVoQjeoK+V2Ohvy+rvYPaqm
 5mR0l4M+GGhglCg44wV3uwNonmltCxvTgGqZrQPsa3WnXMFoXqwGZgwl6XrYdLzV
 hVODJAu/Ivegk9AAbVrZGXg/shQtkB4gyoOaE3Qoraf1az9/XudECIo+zwocP4Ip
 Z0ny8bwQKq2QGYrCU3NWlgWi30sj6PeW5e6Jgq/2b1sUeKuUgNuuBPcRmXQ6kaz5
 vMX7qYsXAxvO7o1QlbASzdvSvOXGx+0J0CJctPnY4jAJ7qjvJTKOb0j+jwMNJy+D
 XFAgB+D0go+UvnaPJn6teIHzaD4NqWE37MaamxsMY6RWjAnoy1+OOvZIZTnq+LnH
 iLbgk2EsxlFyBd3aZ/51ukeTUxpNgu9J6iRcXB3yVNBS4vqlBDw=
 =VZsF
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/philmd-gitlab/tags/sdcard-CVE-2020-13253-pull-request' into staging

Fix CVE-2020-13253

By using invalidated address, guest can do out-of-bounds accesses.
These patches fix the issue by only allowing SD card image sizes
power of 2, and not switching to SEND_DATA state when the address
is invalid (out of range).

This issue was found using QEMU fuzzing mode (using --enable-fuzzing,
see docs/devel/fuzzing.txt) and reported by Alexander Bulekov.

Reproducer:
  https://bugs.launchpad.net/qemu/+bug/1880822/comments/1

CI jobs results:
. https://cirrus-ci.com/build/5157142548185088
. https://gitlab.com/philmd/qemu/-/pipelines/166381731
. https://travis-ci.org/github/philmd/qemu/builds/707956535

# gpg: Signature made Tue 14 Jul 2020 14:54:44 BST
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* remotes/philmd-gitlab/tags/sdcard-CVE-2020-13253-pull-request:
  hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
  hw/sd/sdcard: Update coding style to make checkpatch.pl happy
  hw/sd/sdcard: Do not allow invalid SD card sizes
  hw/sd/sdcard: Simplify realize() a bit
  hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
  tests/acceptance/boot_linux: Expand SD card image to power of 2
  tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd'
  docs/orangepi: Add instructions for resizing SD image to power of two
  MAINTAINERS: Cc qemu-block mailing list

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-07-15 09:06:55 +01:00
..
config docs: Grammar and spelling fixes 2018-07-13 10:16:04 +01:00
devel docs/devel/fuzzing: Fix bugs in documentation 2020-07-13 11:40:52 +02:00
interop vhost-vdpa: introduce vhost-vdpa backend 2020-07-07 07:59:51 -04:00
specs softmmu/vl: Allow -fw_cfg 'gen_id' option to use the 'etc/' namespace 2020-07-03 18:16:01 +02:00
sphinx kernel-doc: Use c:struct for Sphinx 3.0 and later 2020-04-14 17:15:33 +01:00
spin docs: create config/, devel/ and spin/ subdirectories 2017-06-07 18:22:03 +02:00
system Fix CVE-2020-13253 2020-07-15 09:06:55 +01:00
tools qcow2: Deprecate use of qemu-img amend to change backing file 2020-07-14 15:18:59 +02:00
user docs: Be consistent about capitalization of 'Arm' 2020-03-12 11:20:20 +00:00
amd-memory-encryption.txt doc: fix typos for documents in tree 2019-03-06 10:40:21 +01:00
barrier.txt ui: add an embedded Barrier client 2019-09-17 13:43:22 +02:00
block-replication.txt colo: Update Documentation for continuous replication 2020-03-03 18:04:47 +08:00
bootindex.txt docs qemu-doc: Avoid ide-drive, it's deprecated 2017-06-04 18:42:55 +03:00
can.txt docs: Be consistent about capitalization of 'Arm' 2020-03-12 11:20:20 +00:00
ccid.txt libcacard: improve documentation 2014-06-10 07:44:01 +02:00
COLO-FT.txt colo: Update Documentation for continuous replication 2020-03-03 18:04:47 +08:00
colo-proxy.txt doc: fix typos for documents in tree 2019-03-06 10:40:21 +01:00
conf.py docs: Require Sphinx 1.6 or better 2020-04-14 17:19:38 +01:00
cpu-hotplug.rst docs/cpu-hotplug.rst: Fix rST markup issues 2019-03-07 14:26:44 +00:00
defs.rst.inc docs/system: convert Texinfo documentation to rST 2020-03-06 10:05:12 +00:00
generic-loader.txt docs/generic-loader: mention U-Boot and Intel HEX executable formats 2018-08-20 11:24:31 +01:00
hyperv.txt i386/kvm: add NoNonArchitecturalCoreSharing Hyper-V enlightenment 2019-10-22 09:38:42 +02:00
igd-assign.txt vfio/pci: Add IGD documentation 2016-05-26 11:12:05 -06:00
image-fuzzer.txt docs: List all image elements currently supported by the fuzzer 2014-09-22 11:39:35 +01:00
index.html.in Makefile: Install qemu-[qmp/ga]-ref.* into the directory "interop" 2020-06-26 09:39:37 -04:00
index.rst docs/index.rst, docs/index.html.in: Reorder manuals 2020-03-12 11:14:06 +00:00
memory-hotplug.txt docs: Grammar and spelling fixes 2018-07-13 10:16:04 +01:00
microvm.rst docs/microvm.rst: add instructions for shutting down the guest 2019-11-19 10:01:34 +01:00
multi-thread-compression.txt Replace '-enable-kvm' with '-accel kvm' in docs and help texts 2018-06-28 19:05:32 +02:00
multiseat.txt tests/docker/test-mingw and docs: Remove --with-sdlabi=2.0 2019-02-04 15:25:21 +00:00
nvdimm.txt docs/nvdimm: add description of alignment requirement of device dax 2020-06-26 09:39:36 -04:00
pci_expander_bridge.txt pxb: cleanup 2016-03-11 16:59:12 +02:00
pcie_pci_bridge.txt pci: removed the is_express field since a uniform interface was inserted 2018-02-08 21:06:41 +02:00
pcie.txt docs: pcie: Spell out machine type needs for PCIe features 2018-03-01 16:25:37 +02:00
pr-manager.rst scsi: add multipath support to qemu-pr-helper 2017-09-22 21:07:27 +02:00
pvrdma.txt hw/pvrdma: Remove max-sge command-line param 2019-01-19 10:31:24 +02:00
qcow2-cache.txt qcow2: Default to 4KB for the qcow2 cache entry size 2019-03-08 12:26:45 +01:00
qdev-device-use.txt docs/qdev-device-use: Clean up the sentences related to -usbdevice 2020-07-13 11:40:47 +02:00
qemu_logo.pdf docs: add qemu logo to pdf 2017-01-16 10:11:43 +01:00
qemu-option-trace.rst.inc docs/qemu-option-trace.rst.inc: Remove redundant comment 2020-03-12 11:14:06 +00:00
qemupciserial.inf docs: Grammar and spelling fixes 2018-07-13 10:16:04 +01:00
rdma.txt doc: fix typos for documents in tree 2019-03-06 10:40:21 +01:00
replay.txt docs: Be consistent about capitalization of 'Arm' 2020-03-12 11:20:20 +00:00
spice-port-fqdn.txt docs: add spice-port-fqdn.txt 2012-12-17 14:01:41 +01:00
throttle.txt docs: Fix description of the leaky bucket algorithm in throttle.txt 2016-09-13 18:12:34 +03:00
usb2.txt docs/usb2.txt: ehci has six ports 2018-08-21 10:22:03 +02:00
usb-storage.txt usb: Fix typo in documentation 2017-01-24 23:26:52 +03:00
virtio-balloon-stats.txt Remove the deprecated -balloon option 2018-08-31 09:52:13 +02:00
virtio-net-failover.rst docs: fix rst syntax errors in unbuilt docs 2019-12-19 16:20:21 +00:00
virtio-pmem.rst docs: fix rst syntax errors in unbuilt docs 2019-12-19 16:20:21 +00:00
xbzrle.txt docs/xbzrle: update 'cache miss rate' and 'encoding rate' to docs 2020-06-17 17:48:39 +01:00
xen-save-devices-state.txt Fix up dangling references to qmp-commands.* in comment and doc 2018-03-02 13:48:26 -06:00