oss-sec mailing list archives
CVE-2021-3409 QEMU: sdhci: incomplete fix for CVE-2020-17380/CVE-2020-25085
From: Mauro Matteo Cascella <mcascell () redhat com>
Date: Tue, 9 Mar 2021 09:56:16 +0100
Hello, QEMU upstream commit [1] was supposed to fix CVE-2020-17380 and CVE-2020-25085, both involving a heap buffer overflow in the SDHCI controller emulation code. In fact, commit [1] turned out to be incomplete, in that it was still possible to reproduce the same issue(s) with specially crafted input, inducing a bogus transfer and subsequent out-of-bounds read/write access in sdhci_do_adma() or sdhci_sdma_transfer_multi_blocks(). A new series has been proposed (not merged yet) to address those issues, and CVE-2021-3409 was assigned to facilitate tracking/backporting of the new patch. Old patch: [1] https://git.qemu.org/?p=qemu.git;a=commit;h=dfba99f17feb6d4a129da19d38df1bcd8579d1c3 New patch series: https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html CVE-2021-3409 assigned by Red Hat, Inc. Best regards. -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
Current thread:
- CVE-2021-3409 QEMU: sdhci: incomplete fix for CVE-2020-17380/CVE-2020-25085 Mauro Matteo Cascella (Mar 09)