Bug 1176681 (CVE-2020-25085) - VUL-0: CVE-2020-25085: kvm,qemu: sdhci: out-of-bounds access issue while doing multi block SDMA
Summary: VUL-0: CVE-2020-25085: kvm,qemu: sdhci: out-of-bounds access issue while doin...
Status: RESOLVED FIXED
Alias: CVE-2020-25085
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/267526/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-25085:5.0:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-17 15:38 UTC by Wolfgang Frisch
Modified: 2024-04-15 13:02 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-09-17 15:38:41 UTC 
CVE-2020-25085

An out-of-bounds r/w access issue was found in the SDHCI Controller emulator of QEMU. It may occur while doing multi block SDMA, if transfer block size exceeds the 's->fifo_buffer[s->buf_maxsz]' size. It'd leave the current element pointer 's->data_count' pointing out of bounds. Leading the subsequent DMA r/w operation to OOB access issue. A guest user/process may use this flaw to crash the QEMU process resulting in DoS scenario.

Upstream patches:
-----------------
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00733.html
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01439.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/09/16/6

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1879671
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25085
http://seclists.org/oss-sec/2020/q3/181
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00733.html
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01439.html
Comment 1 Wolfgang Frisch 2020-09-17 15:41:15 UTC 
Judging by the source code, I'm tracking this bug as follows:

SUSE:SLE-11:Update      qemu  Not affected [1]
SUSE:SLE-11-SP1:Update  kvm   Not affected [1]
SUSE:SLE-11-SP3:Update  kvm   Not affected [1]
SUSE:SLE-11-SP4:Update  kvm   Affected
SUSE:SLE-12-SP2:Update  qemu  Affected
SUSE:SLE-12-SP3:Update  qemu  Affected
SUSE:SLE-12-SP4:Update  qemu  Affected
SUSE:SLE-12-SP5:Update  qemu  Affected
SUSE:SLE-15:Update      qemu  Affected
SUSE:SLE-15-SP1:Update  qemu  Affected
SUSE:SLE-15-SP2:Update  qemu  Affected

[1] sdhci support not present.
Comment 2 Bruce Rogers 2021-01-04 22:06:10 UTC 
The first patch mentioned is now commit dfba99f17feb6d4a129da19d38df1bcd8579d1c3
The second patch mentioned (asserts) appears to not be needed, given the first patch, but the discussion did lead to some reworking of the code. But not part of the security issue that I can determine, So we'll only add the one commit.
Comment 3 OBSbugzilla Bot 2021-03-30 22:50:11 UTC 
This is an autogenerated message for OBS integration:
This bug (1176681) was mentioned in
https://build.opensuse.org/request/show/882234 Factory / qemu
Comment 4 Gianluca Gabrielli 2021-04-02 11:56:58 UTC 
(In reply to Bruce Rogers from comment #2)
> The first patch mentioned is now commit
> dfba99f17feb6d4a129da19d38df1bcd8579d1c3
> The second patch mentioned (asserts) appears to not be needed, given the
> first patch, but the discussion did lead to some reworking of the code. But
> not part of the security issue that I can determine, So we'll only add the
> one commit.

Since the mentioned commit is part of qemu >= v5.2.0-rc0 and the vulnerability is not LTSS worthy, I think this only needs to be backported to the following codestreams:

SUSE:SLE-12-SP5:Update/qemu    3.1.1.1
SUSE:SLE-15-SP2:Update/qemu    4.2.1
Comment 5 Gianluca Gabrielli 2021-04-02 12:42:36 UTC 
According to SMELT [0] here are more codestreams shipping qemu to general supported products, here is the updated list:

SUSE:SLE-11:Update      qemu  0.10.1
SUSE:SLE-12-SP3:Update  qemu  2.9.1
SUSE:SLE-12-SP5:Update  qemu  3.1.1.1
SUSE:SLE-15:Update      qemu  2.11.2
SUSE:SLE-15-SP1:Update  qemu  3.1.1.1
SUSE:SLE-15-SP2:Update  qemu  4.2.1

[0] https://smelt.suse.de/maintained/?q=qemu
Comment 9 Swamp Workflow Management 2021-06-02 19:23:03 UTC 
SUSE-SU-2021:1837-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1149813,1163019,1172380,1175534,1176681,1178683,1178935,1179477,1179484,1179725,1182846,1182975,1186290
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-14364,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    qemu-3.1.1.1-51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-06-08 16:37:07 UTC 
SUSE-SU-2021:1893-1: An update that solves 11 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (important)
Bug References: 1149813,1163019,1172380,1175534,1176681,1178683,1178935,1179477,1179484,1182846,1182975,1183979,1186290
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-14364,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419
JIRA References: SLE-17785
Sources used:
SUSE MicroOS 5.0 (src):    qemu-4.2.1-11.19.2
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    qemu-4.2.1-11.19.2
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    qemu-4.2.1-11.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-06-10 13:38:12 UTC 
SUSE-SU-2021:1942-1: An update that solves 14 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1149813,1163019,1175144,1175534,1176681,1178683,1178935,1179477,1179484,1179686,1181103,1182282,1182425,1182968,1182975,1183373,1186290
CVE References: CVE-2019-15890,CVE-2020-14364,CVE-2020-17380,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-27821,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20263,CVE-2021-3409,CVE-2021-3416,CVE-2021-3419
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    qemu-5.2.0-17.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    qemu-5.2.0-17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-07-11 14:07:16 UTC 
openSUSE-SU-2021:1942-1: An update that solves 14 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1149813,1163019,1175144,1175534,1176681,1178683,1178935,1179477,1179484,1179686,1181103,1182282,1182425,1182968,1182975,1183373,1186290
CVE References: CVE-2019-15890,CVE-2020-14364,CVE-2020-17380,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-27821,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20263,CVE-2021-3409,CVE-2021-3416,CVE-2021-3419
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    qemu-5.2.0-17.1
Comment 14 Swamp Workflow Management 2021-07-14 01:18:10 UTC 
openSUSE-SU-2021:1043-1: An update that solves 14 vulnerabilities, contains one feature and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1149813,1163019,1172380,1175534,1176681,1178683,1178935,1179477,1179484,1182846,1182975,1183979,1184574,1185591,1185981,1185990,1186010,1186290,1187013
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-14364,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419,CVE-2021-3544,CVE-2021-3545,CVE-2021-3546
JIRA References: SLE-17785
Sources used:
openSUSE Leap 15.2 (src):    qemu-4.2.1-lp152.9.16.2, qemu-linux-user-4.2.1-lp152.9.16.1, qemu-testsuite-4.2.1-lp152.9.16.7
Comment 15 Swamp Workflow Management 2021-08-02 16:17:52 UTC 
openSUSE-SU-2021:2591-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1176681,1185591,1186290,1187364,1187365,1187366,1187367,1187499,1187529,1187538,1187539
CVE References: CVE-2020-25085,CVE-2021-3582,CVE-2021-3592,CVE-2021-3593,CVE-2021-3594,CVE-2021-3595,CVE-2021-3607,CVE-2021-3608,CVE-2021-3611
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    qemu-3.1.1.1-9.30.2
Comment 16 Swamp Workflow Management 2021-08-02 16:20:08 UTC 
SUSE-SU-2021:2591-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1176681,1185591,1186290,1187364,1187365,1187366,1187367,1187499,1187529,1187538,1187539
CVE References: CVE-2020-25085,CVE-2021-3582,CVE-2021-3592,CVE-2021-3593,CVE-2021-3594,CVE-2021-3595,CVE-2021-3607,CVE-2021-3608,CVE-2021-3611
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    qemu-3.1.1.1-9.30.2
SUSE Manager Retail Branch Server 4.0 (src):    qemu-3.1.1.1-9.30.2
SUSE Manager Proxy 4.0 (src):    qemu-3.1.1.1-9.30.2
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    qemu-3.1.1.1-9.30.2
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    qemu-3.1.1.1-9.30.2
SUSE Linux Enterprise Server 15-SP1-BCL (src):    qemu-3.1.1.1-9.30.2
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    qemu-3.1.1.1-9.30.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    qemu-3.1.1.1-9.30.2
SUSE Enterprise Storage 6 (src):    qemu-3.1.1.1-9.30.2
SUSE CaaS Platform 4.0 (src):    qemu-3.1.1.1-9.30.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Marcus Meissner 2024-04-15 13:02:51 UTC 
done