On Tue, 30 Jun 2020 at 14:39, Philippe Mathieu-Daudé <f4...@amsat.org> wrote: > > Only move the state machine to ReceivingData if there is no > pending error. This avoids later OOB access while processing > commands queued. > > "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" > > 4.3.3 Data Read > > Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR > occurred and no data transfer is performed. > > 4.3.4 Data Write > > Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR > occurred and no data transfer is performed. > > WP_VIOLATION errors are not modified: the error bit is set, we > stay in receive-data state, wait for a stop command. All further > data transfer is ignored. See the check on sd->card_status at the > beginning of sd_read_data() and sd_write_data(). > > Fixes: CVE-2020-13253 > Cc: Prasad J Pandit <p...@fedoraproject.org> > Reported-by: Alexander Bulekov <alx...@bu.edu> > Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 > Signed-off-by: Philippe Mathieu-Daudé <f4...@amsat.org> > --- > v4: Only modify ADDRESS_ERROR, not WP_VIOLATION (pm215)
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org> thanks -- PMM
