On Tue, Oct 6, 2015 at 10:40 AM, Alistair Francis <alistair.fran...@xilinx.com> wrote: > It is possible for the guest to set an invalid block > size which is larger then the fifo_buffer[] array. This > could cause a buffer overflow. > > To avoid this limit the maximum size of the blksize variable. > > Signed-off-by: Alistair Francis <alistair.fran...@xilinx.com> > Suggested-by: Igor Mitsyanko <i.mitsya...@gmail.com> > Reported-by: Intel Security ATR <sec...@intel.com> > Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.pe...@gmail.com> With Pavan's patches and now this, the SD patches are starting to pile up on list. What queue do they target? target-arm (as lead/major user) or something block-related? Regards, Peter > --- > > hw/sd/sdhci.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c > index 65304cf..1d47f5c 100644 > --- a/hw/sd/sdhci.c > +++ b/hw/sd/sdhci.c > @@ -1006,6 +1006,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, > unsigned size) > MASKED_WRITE(s->blksize, mask, value); > MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); > } > + > + /* Limit block size to the maximum buffer size */ > + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { > + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \ > + "the maximum buffer 0x%x", __func__, s->blksize, > + s->buf_maxsz); > + > + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); > + } > + > break; > case SDHC_ARGUMENT: > MASKED_WRITE(s->argument, mask, value); > -- > 2.1.4 >