Bugzilla – Bug 1172033
VUL-1: CVE-2020-13253: kvm,qemu: sd: OOB access could crash the guest resulting in DoS
Last modified: 2023-07-25 17:33:51 UTC
CVE-2020-13253 An out-of-bounds read access issue was found in the SD Memory Card emulator of the QEMU. It occurs while performing block write commands via sdhci_write(), if a guest user has sent 'address' which is OOB of 's->wp_groups'. A guest user/process may use this flaw to crash the QEMU process resulting in DoS. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13253 https://access.redhat.com/security/cve/CVE-2020-13253 https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05835.html
upstream does not seem to agree that this is a bug. > [..] indeed the Kconfig was added to allow distributions to disable piece of code, and we want to keep this device in mainstream QEMU. > > Distributions are free to disable it setting SDHCI_PCI=n I believe this does not affect us, but I wanted to ask about SDHCI_PCI config option. I do not see it in SLE15 anywhere, but might have missed it. Is this something we should consider? [0] https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05867.html
I'll watch the upstream progress on this issue. Indeed it does affect us, but it's quite likely no one is using this feature. We mark it unsupported from a SLE standpoint. I think we'll likely want to include this fix, but I don't think it's a rush issue, so like I said, let's watch how upstream intends to handle it for a bit.
This and other sd related fixes will either be fixed in the next round of maintenance updates (within a month or so), or we'll just declare them too hard to fix, esp. given that we don't support the sd card emulation. Given how the effort went so far, it's quite possible that v4.2 qemu (for SLE-15-SP2) will be the only release affected where we can get a fix done.
The fix is merged into upstream since qemu-5.0. commit 790762e5487114341cccc5bffcec4cb3c022c3cd Author: Philippe Mathieu-Daudé <philmd@redhat.com> Date: Thu Jun 4 19:22:29 2020 +0200 hw/sd/sdcard: Do not switch to ReceivingData if address is invalid Only move the state machine to ReceivingData if there is no pending error. This avoids later OOB access while processing commands queued. It is trigged since qemu-4.2.0. so the only affected qemu version is SLES15-SP2.
https://build.suse.de/request/show/261480 Patch has been merged into our dev repo, should be into 15SP2 by the next MR. Re-assign back to the security team, thanks for the report.
SUSE-SU-2022:0210-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 1172033,1181361 CVE References: CVE-2020-13253,CVE-2021-20196 JIRA References: Sources used: SUSE Linux Enterprise Micro 5.0 (src): qemu-4.2.1-11.34.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0210-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 1172033,1181361 CVE References: CVE-2020-13253,CVE-2021-20196 JIRA References: Sources used: openSUSE Leap 15.3 (src): qemu-4.2.1-11.34.2
SUSE-SU-2022:0210-2: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 1172033,1181361 CVE References: CVE-2020-13253,CVE-2021-20196 JIRA References: Sources used: SUSE Linux Enterprise Realtime Extension 15-SP2 (src): qemu-4.2.1-11.34.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0210-2: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 1172033,1181361 CVE References: CVE-2020-13253,CVE-2021-20196 JIRA References: Sources used: openSUSE Leap 15.4 (src): qemu-4.2.1-11.34.2
SUSE-SU-2023:0761-1: An update that solves 14 vulnerabilities can now be installed. Category: security (important) Bug References: 1172033, 1172382, 1175144, 1180207, 1182282, 1185000, 1193880, 1197653, 1198035, 1198038, 1198712, 1201367, 1205808 CVE References: CVE-2020-13253, CVE-2020-13754, CVE-2020-14394, CVE-2020-17380, CVE-2020-25085, CVE-2021-3409, CVE-2021-3507, CVE-2021-3929, CVE-2021-4206, CVE-2022-0216, CVE-2022-1050, CVE-2022-26354, CVE-2022-35414, CVE-2022-4144 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): qemu-3.1.1.1-66.1 SUSE Linux Enterprise Server 12 SP5 (src): qemu-3.1.1.1-66.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): qemu-3.1.1.1-66.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.