On Tue, Oct 6, 2015 at 10:40 AM, Alistair Francis
<alistair.fran...@xilinx.com> wrote:
> It is possible for the guest to set an invalid block
> size which is larger then the fifo_buffer[] array. This
> could cause a buffer overflow.
>
> To avoid this limit the maximum size of the blksize variable.
>
> Signed-off-by: Alistair Francis <alistair.fran...@xilinx.com>
> Suggested-by: Igor Mitsyanko <i.mitsya...@gmail.com>
> Reported-by: Intel Security ATR <sec...@intel.com>
> Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.pe...@gmail.com>
With Pavan's patches and now this, the SD patches are starting to pile
up on list. What queue do they target? target-arm (as lead/major user)
or something block-related?
Regards,
Peter
> ---
>
> hw/sd/sdhci.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
> index 65304cf..1d47f5c 100644
> --- a/hw/sd/sdhci.c
> +++ b/hw/sd/sdhci.c
> @@ -1006,6 +1006,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val,
> unsigned size)
> MASKED_WRITE(s->blksize, mask, value);
> MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
> }
> +
> + /* Limit block size to the maximum buffer size */
> + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
> + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \
> + "the maximum buffer 0x%x", __func__, s->blksize,
> + s->buf_maxsz);
> +
> + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
> + }
> +
> break;
> case SDHC_ARGUMENT:
> MASKED_WRITE(s->argument, mask, value);
> --
> 2.1.4
>
