Bug 1172033 (CVE-2020-13253) - VUL-1: CVE-2020-13253: kvm,qemu: sd: OOB access could crash the guest resulting in DoS
Summary: VUL-1: CVE-2020-13253: kvm,qemu: sd: OOB access could crash the guest resulti...
Status: IN_PROGRESS
Alias: CVE-2020-13253
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/259709/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-13253:3.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-25 06:16 UTC by Robert Frohl
Modified: 2023-07-25 17:33 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-05-25 06:16:41 UTC
CVE-2020-13253

An out-of-bounds read access issue was found in the SD Memory Card emulator of the QEMU. It occurs while performing block write commands via sdhci_write(), if a guest user has sent 'address' which is OOB of 's->wp_groups'. A guest user/process may use this flaw to crash the QEMU process resulting in DoS.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13253
https://access.redhat.com/security/cve/CVE-2020-13253
https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05835.html
Comment 1 Robert Frohl 2020-05-25 06:36:55 UTC
upstream does not seem to agree that this is a bug.

> [..] indeed the Kconfig was added to allow distributions to disable piece of code,  and we want to keep this device in mainstream QEMU.
>
> Distributions are free to disable it setting SDHCI_PCI=n

I believe this does not affect us, but I wanted to ask about SDHCI_PCI config option. I do not see it in SLE15 anywhere, but might have missed it. Is this something we should consider?

[0] https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05867.html
Comment 2 Bruce Rogers 2020-06-08 19:57:59 UTC
I'll watch the upstream progress on this issue. Indeed it does affect us, but it's quite likely no one is using this feature. We mark it unsupported from a SLE standpoint.

I think we'll likely want to include this fix, but I don't think it's a rush issue, so like I said, let's watch how upstream intends to handle it for a bit.
Comment 5 Bruce Rogers 2021-04-09 17:25:39 UTC
This and other sd related fixes will either be fixed in the next round of maintenance updates (within a month or so), or we'll just declare them too hard to fix, esp. given that we don't support the sd card emulation. Given how the effort went so far, it's quite possible that v4.2 qemu (for SLE-15-SP2) will be the only release affected where we can get a fix done.
Comment 6 Liang Yan 2022-01-04 15:13:56 UTC
The fix is merged into upstream since qemu-5.0.

commit 790762e5487114341cccc5bffcec4cb3c022c3cd
Author: Philippe Mathieu-Daudé <philmd@redhat.com>
Date:   Thu Jun 4 19:22:29 2020 +0200

    hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
    
    Only move the state machine to ReceivingData if there is no
    pending error. This avoids later OOB access while processing
    commands queued.


It is trigged since qemu-4.2.0. so the only affected qemu version is SLES15-SP2.
Comment 7 Liang Yan 2022-01-05 01:43:44 UTC
https://build.suse.de/request/show/261480

Patch has been merged into our dev repo, should be into 15SP2 by the next MR. Re-assign back to the security team, thanks for the report.
Comment 9 Swamp Workflow Management 2022-01-27 17:23:34 UTC
SUSE-SU-2022:0210-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1172033,1181361
CVE References: CVE-2020-13253,CVE-2021-20196
JIRA References: 
Sources used:
SUSE Linux Enterprise Micro 5.0 (src):    qemu-4.2.1-11.34.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-01-27 17:24:51 UTC
openSUSE-SU-2022:0210-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1172033,1181361
CVE References: CVE-2020-13253,CVE-2021-20196
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    qemu-4.2.1-11.34.2
Comment 11 Swamp Workflow Management 2022-02-18 14:22:35 UTC
SUSE-SU-2022:0210-2: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1172033,1181361
CVE References: CVE-2020-13253,CVE-2021-20196
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    qemu-4.2.1-11.34.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-02-18 14:36:43 UTC
openSUSE-SU-2022:0210-2: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1172033,1181361
CVE References: CVE-2020-13253,CVE-2021-20196
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    qemu-4.2.1-11.34.2
Comment 14 Maintenance Automation 2023-03-16 12:30:23 UTC
SUSE-SU-2023:0761-1: An update that solves 14 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1172033, 1172382, 1175144, 1180207, 1182282, 1185000, 1193880, 1197653, 1198035, 1198038, 1198712, 1201367, 1205808
CVE References: CVE-2020-13253, CVE-2020-13754, CVE-2020-14394, CVE-2020-17380, CVE-2020-25085, CVE-2021-3409, CVE-2021-3507, CVE-2021-3929, CVE-2021-4206, CVE-2022-0216, CVE-2022-1050, CVE-2022-26354, CVE-2022-35414, CVE-2022-4144
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): qemu-3.1.1.1-66.1
SUSE Linux Enterprise Server 12 SP5 (src): qemu-3.1.1.1-66.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): qemu-3.1.1.1-66.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.