On 2/11/21 9:52 AM, Mauro Matteo Cascella wrote: > Hello, > > On Wed, Feb 10, 2021 at 11:27 PM Alistair Francis <alistai...@gmail.com> > wrote: >> >> On Tue, Feb 9, 2021 at 2:55 AM Bin Meng <bmeng...@gmail.com> wrote: >>> >>> At the end of sdhci_send_command(), it starts a data transfer if >>> the command register indicates a data is associated. However the >>> data transfer should only be initiated when the command execution >>> has succeeded. >>> >>> Cc: qemu-sta...@nongnu.org >>> Fixes: CVE-2020-17380 >>> Fixes: CVE-2020-25085 >>> Reported-by: Alexander Bulekov <alx...@bu.edu> >>> Reported-by: Sergej Schumilo (Ruhr-University Bochum) >>> Reported-by: Cornelius Aschermann (Ruhr-University Bochum) >>> Reported-by: Simon Wrner (Ruhr-University Bochum) >>> Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 >> >> Isn't this already fixed?
The previous patch was enough to catch the previous reproducer, but something changed elsewhere making the same reproducer crash QEMU again... > It turned out the bug was still reproducible on master. I'm actually > thinking of assigning a new CVE for this, to make it possible for > distros to apply this fix. It sounds fair. Do you have an ETA for the new CVE? > -- > Mauro Matteo Cascella > Red Hat Product Security > PGP-Key ID: BB3410B0 > >
