CVE-2021-3409 QEMU: sdhci: incomplete fix for CVE-2020-17380/CVE-2020-25085

[Mauro Matteo Cascella <mcascell () redhat com>]

Hello,

QEMU upstream commit [1] was supposed to fix CVE-2020-17380 and
CVE-2020-25085, both involving a heap buffer overflow in the SDHCI
controller emulation code. In fact, commit [1] turned out to be
incomplete, in that it was still possible to reproduce the same
issue(s) with specially crafted input, inducing a bogus transfer and
subsequent out-of-bounds read/write access in sdhci_do_adma() or
sdhci_sdma_transfer_multi_blocks().

A new series has been proposed (not merged yet) to address those
issues, and CVE-2021-3409 was assigned to facilitate
tracking/backporting of the new patch.

Old patch:
[1] https://git.qemu.org/?p=qemu.git;a=commit;h=dfba99f17feb6d4a129da19d38df1bcd8579d1c3

New patch series:
https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html

CVE-2021-3409 assigned by Red Hat, Inc.

Best regards.
-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0