On Tue, 30 Jun 2020 at 14:39, Philippe Mathieu-Daudé <[email protected]> wrote: > > Only move the state machine to ReceivingData if there is no > pending error. This avoids later OOB access while processing > commands queued. > > "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" > > 4.3.3 Data Read > > Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR > occurred and no data transfer is performed. > > 4.3.4 Data Write > > Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR > occurred and no data transfer is performed. > > WP_VIOLATION errors are not modified: the error bit is set, we > stay in receive-data state, wait for a stop command. All further > data transfer is ignored. See the check on sd->card_status at the > beginning of sd_read_data() and sd_write_data(). > > Fixes: CVE-2020-13253 > Cc: Prasad J Pandit <[email protected]> > Reported-by: Alexander Bulekov <[email protected]> > Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 > Signed-off-by: Philippe Mathieu-Daudé <[email protected]> > --- > v4: Only modify ADDRESS_ERROR, not WP_VIOLATION (pm215)
Reviewed-by: Peter Maydell <[email protected]> thanks -- PMM
