Bug 1175144 - (CVE-2020-17380) VUL-0: CVE-2020-17380: kvm,qemu: heap buffer overflow in sdhci_sdma_transfer_multi_blocks() in hw/sd/sdhci.c
(CVE-2020-17380)
VUL-0: CVE-2020-17380: kvm,qemu: heap buffer overflow in sdhci_sdma_transfer_...
Status: RESOLVED DUPLICATE of bug 1182282
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: E-mail List
Security Team bot
https://smash.suse.de/issue/265027/
CVSSv3.1:SUSE:CVE-2020-17380:6.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-12 09:14 UTC by Robert Frohl
Modified: 2022-10-26 14:09 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-08-12 09:14:01 UTC
rh#1862167

A heap-based buffer overflow vulnerability was found in QEMU in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via sdhci_sdma_transfer_multi_blocks() routine. A guest user or process could use this flaw to crash the QEMU process on the host resulting in a denial-of-service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1862167
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17380
Comment 3 Robert Frohl 2020-11-04 15:02:05 UTC
tracking as affected:

- SUSE:SLE-12-SP2:Update/qemu
- SUSE:SLE-12-SP3:Update/qemu
- SUSE:SLE-12-SP4:Update/qemu
- SUSE:SLE-12-SP5:Update/qemu
- SUSE:SLE-15:Update/qemu
- SUSE:SLE-15-SP1:Update/qemu
- SUSE:SLE-15-SP2:Update/qemu
Comment 4 Bruce Rogers 2021-03-21 02:59:16 UTC
Apparently this is fixed by commit dfba99f17feb6d4a129da19d38df1bcd8579d1c3, which is included in v5.2.0
Comment 5 OBSbugzilla Bot 2021-03-30 22:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1175144) was mentioned in
https://build.opensuse.org/request/show/882234 Factory / qemu
Comment 6 Gianluca Gabrielli 2021-04-02 10:24:34 UTC
(In reply to Bruce Rogers from comment #4)
> Apparently this is fixed by commit dfba99f17feb6d4a129da19d38df1bcd8579d1c3,
> which is included in v5.2.0

Hi Bruce, it seems that only SLE-15-SP3 is shipping qemu >= 5.2.0.

The following codestreams are under general support and are shipping versions older than 5.2.0, so I think the fix should be back-ported to them.

SUSE:SLE-12-SP5:Update/qemu    3.1.1.1
SUSE:SLE-15-SP2:Update/qemu    4.2.1
Comment 7 Gianluca Gabrielli 2021-04-02 12:36:42 UTC
According to SMELT [0] here are more codestreams shipping qemu to general supported products, here is the updated list:

SUSE:SLE-11:Update      qemu  0.10.1
SUSE:SLE-12-SP3:Update  qemu  2.9.1
SUSE:SLE-12-SP5:Update  qemu  3.1.1.1
SUSE:SLE-15:Update      qemu  2.11.2
SUSE:SLE-15-SP1:Update  qemu  3.1.1.1
SUSE:SLE-15-SP2:Update  qemu  4.2.1

[0] https://smelt.suse.de/maintained/?q=qemu
Comment 8 Bruce Rogers 2021-04-02 19:03:52 UTC
I ran into lots of issues doing a backport of this fix to older releases. I'll take a fresh look when not so overloaded and see if we can make it happen.
Comment 11 Swamp Workflow Management 2021-06-10 13:37:55 UTC
SUSE-SU-2021:1942-1: An update that solves 14 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1149813,1163019,1175144,1175534,1176681,1178683,1178935,1179477,1179484,1179686,1181103,1182282,1182425,1182968,1182975,1183373,1186290
CVE References: CVE-2019-15890,CVE-2020-14364,CVE-2020-17380,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-27821,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20263,CVE-2021-3409,CVE-2021-3416,CVE-2021-3419
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    qemu-5.2.0-17.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    qemu-5.2.0-17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-07-11 14:07:02 UTC
openSUSE-SU-2021:1942-1: An update that solves 14 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1149813,1163019,1175144,1175534,1176681,1178683,1178935,1179477,1179484,1179686,1181103,1182282,1182425,1182968,1182975,1183373,1186290
CVE References: CVE-2019-15890,CVE-2020-14364,CVE-2020-17380,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-27821,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20263,CVE-2021-3409,CVE-2021-3416,CVE-2021-3419
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    qemu-5.2.0-17.1
Comment 15 Dario Faggioli 2022-08-31 13:44:58 UTC
(In reply to Bruce Rogers from comment #4)
> Apparently this is fixed by commit dfba99f17feb6d4a129da19d38df1bcd8579d1c3,
> which is included in v5.2.0
>
The assessment Bruce made here appears to be wrong. Following a few links, it seems to me that the proper fix is this series:

https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html

(see, e.g.: https://bugzilla.redhat.com/show_bug.cgi?id=1928146)

I'll try to backport it
Comment 16 Thomas Leroy 2022-09-27 11:21:59 UTC
(In reply to Dario Faggioli from comment #15)
> (In reply to Bruce Rogers from comment #4)
> > Apparently this is fixed by commit dfba99f17feb6d4a129da19d38df1bcd8579d1c3,
> > which is included in v5.2.0
> >
> The assessment Bruce made here appears to be wrong. Following a few links,
> it seems to me that the proper fix is this series:
> 
> https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html
> 
> (see, e.g.: https://bugzilla.redhat.com/show_bug.cgi?id=1928146)
> 
> I'll try to backport it

Thank you very much for your efforts Dario.
SUSE:SLE-12-SP{3,5}:Update are still missing for a fix, and SUSE:SLE-15-SP{3,4}:Update got the wrong one according to your assessment
Comment 17 Dario Faggioli 2022-09-30 15:22:29 UTC
(In reply to Thomas Leroy from comment #16)
> (In reply to Dario Faggioli from comment #15)
> > The assessment Bruce made here appears to be wrong. Following a few links,
> > it seems to me that the proper fix is this series:
> > 
> > https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html
> > 
> > (see, e.g.: https://bugzilla.redhat.com/show_bug.cgi?id=1928146)
> > 
> > I'll try to backport it
> 
> Thank you very much for your efforts Dario.
> SUSE:SLE-12-SP{3,5}:Update are still missing for a fix, and
> SUSE:SLE-15-SP{3,4}:Update got the wrong one according to your assessment
>
Well, yes. But the series has been merged with commit 5ca634afcf83215a9a54ca6e66032325b5ffb5f6, which is already in QEMU 6.2, so for 15-SP4, we should be fine.

The patches are already there in 15-SP3 too: https://build.suse.de/package/view_file/SUSE:SLE-15-SP3:Update/qemu/hw-sd-sdhci-Correctly-set-the-controller.patch?expand=1 (and others).

They're not there in 15-SP2, and I still need to check the earlier versions.
Comment 19 Dario Faggioli 2022-10-04 09:08:49 UTC
(In reply to Dario Faggioli from comment #17)
> (In reply to Thomas Leroy from comment #16)
> > Thank you very much for your efforts Dario.
> > SUSE:SLE-12-SP{3,5}:Update are still missing for a fix, and
> > SUSE:SLE-15-SP{3,4}:Update got the wrong one according to your assessment
> >
> Well, yes. But the series has been merged with commit
> 5ca634afcf83215a9a54ca6e66032325b5ffb5f6, which is already in QEMU 6.2, so
> for 15-SP4, we should be fine.
> 
> The patches are already there in 15-SP3 too:
> https://build.suse.de/package/view_file/SUSE:SLE-15-SP3:Update/qemu/hw-sd-
> sdhci-Correctly-set-the-controller.patch?expand=1 (and others).
> 
> They're not there in 15-SP2, and I still need to check the earlier versions.
>
Ok, the whole situations about these two bugs is terribly confusing. Bug 1182282 (and CVE-2021-3409) looks "the real one" to me, so I'm closing this one as a duplicate.

The work will continue to be tracked there. Ping me and/or reopen if that's not acceptable for whatever reason.

*** This bug has been marked as a duplicate of bug 1182282 ***
Comment 21 Swamp Workflow Management 2022-10-17 10:20:46 UTC
SUSE-SU-2022:3594-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1175144,1182282,1192115,1198035,1198037,1198038
CVE References: CVE-2021-3409,CVE-2021-4206,CVE-2021-4207,CVE-2022-0216,CVE-2022-35414
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    qemu-4.2.1-150200.69.1
openSUSE Leap 15.3 (src):    qemu-4.2.1-150200.69.1
SUSE Manager Server 4.1 (src):    qemu-4.2.1-150200.69.1
SUSE Manager Retail Branch Server 4.1 (src):    qemu-4.2.1-150200.69.1
SUSE Manager Proxy 4.1 (src):    qemu-4.2.1-150200.69.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    qemu-4.2.1-150200.69.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    qemu-4.2.1-150200.69.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    qemu-4.2.1-150200.69.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    qemu-4.2.1-150200.69.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    qemu-4.2.1-150200.69.1
SUSE Enterprise Storage 7 (src):    qemu-4.2.1-150200.69.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2022-10-26 14:09:51 UTC
SUSE-SU-2022:3768-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1175144,1182282,1185000,1192463,1198035,1198037,1198038,1201367
CVE References: CVE-2020-17380,CVE-2021-3409,CVE-2021-3507,CVE-2021-4206,CVE-2021-4207,CVE-2022-0216,CVE-2022-35414
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise Server 15-SP1-BCL (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Enterprise Storage 6 (src):    qemu-3.1.1.1-150100.80.43.2
SUSE CaaS Platform 4.0 (src):    qemu-3.1.1.1-150100.80.43.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.