On Mon, Feb 8, 2021 at 9:26 PM Philippe Mathieu-Daudé <[email protected]> wrote: > > On Mon, Feb 8, 2021 at 8:59 PM Mauro Matteo Cascella > <[email protected]> wrote: > > On Mon, Feb 8, 2021 at 8:35 PM Philippe Mathieu-Daudé <[email protected]> > > wrote: > > > > > > Per the "SD Host Controller Simplified Specification Version 2.00" > > > spec. 'Table 2-4 : Block Size Register': > > > > > > Transfer Block Size [...] can be accessed only if no > > > transaction is executing (i.e., after a transaction has stopped). > > > Read operations during transfers may return an invalid value, > > > and write operations shall be ignored. > > > > ... > > > > > > Fixes: CVE-2020-17380 > > > Fixes: CVE-2020-25085 > > > Signed-off-by: Philippe Mathieu-Daudé <[email protected]> > > > --- > > > Cc: Mauro Matteo Cascella <[email protected]> > > > Cc: Alexander Bulekov <[email protected]> > > > Cc: Alistair Francis <[email protected]> > > > Cc: Prasad J Pandit <[email protected]> > > > Cc: Bandan Das <[email protected]> > > > > > > RFC because missing Reported-by tags, launchpad/bugzilla links and > > > qtest reproducer. Sending for review meanwhile. > ... > > For the above CVEs: > > Tested-by: Mauro Matteo Cascella <[email protected]> > > Thanks Mauro for testing. Do you know what tags I should add for the credits? > > Phil. >
I think the credit should go to Alexander for reporting [1] as well as people from Ruhr-University Bochum for CVE-2020-25085 (I don't know about their emails, though): Reported-by: Alexander Bulekov <[email protected]> Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) [1] https://bugs.launchpad.net/qemu/+bug/1892960 -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
