On 1/4/24 12:49, Heinrich Schuchardt wrote: > If the CSD register contains a reserved value (4 - 7) in bits 0:2 of the > TRAN_SPEED field, a buffer overrun occurs. Resize the mapping table. > > According to the original report > https://lore.kernel.org/u-boot/20180826231332.2491-11-ero...@de.adit-jv.com/ > reserved values have been observed resulting in a buffer overrun. > > Reported-by: Eugeniu Rosca <ero...@de.adit-jv.com> > Fixes: 272cc70b211e ("Add MMC Framework") > Signed-off-by: Heinrich Schuchardt <heinrich.schucha...@canonical.com> > Reviewed-by: Jaehoon Chung <jh80.ch...@samsung.com>
Applied to u-boot-mmc/master. Best Regards, Jaehoon Chung > --- > drivers/mmc/mmc.c | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git a/drivers/mmc/mmc.c b/drivers/mmc/mmc.c > index d96db7a0f8..00f4964aae 100644 > --- a/drivers/mmc/mmc.c > +++ b/drivers/mmc/mmc.c > @@ -1570,13 +1570,20 @@ static int sd_read_ssr(struct mmc *mmc) > return 0; > } > #endif > -/* frequency bases */ > -/* divided by 10 to be nice to platforms without floating point */ > +/* > + * TRAN_SPEED bits 0:2 encode the frequency unit: > + * 0 = 100KHz, 1 = 1MHz, 2 = 10MHz, 3 = 100MHz, values 4 - 7 are reserved. > + * The values in fbase[] are divided by 10 to avoid floats in multiplier[]. > + */ > static const int fbase[] = { > 10000, > 100000, > 1000000, > 10000000, > + 0, /* reserved */ > + 0, /* reserved */ > + 0, /* reserved */ > + 0, /* reserved */ > }; > > /* Multiplier values for TRAN_SPEED. Multiplied by 10 to be nice > @@ -2560,6 +2567,8 @@ static int mmc_startup(struct mmc *mmc) > mult = multipliers[((cmd.response[0] >> 3) & 0xf)]; > > mmc->legacy_speed = freq * mult; > + if (!mmc->legacy_speed) > + log_debug("TRAN_SPEED: reserved value"); > mmc_select_mode(mmc, MMC_LEGACY); > > mmc->dsr_imp = ((cmd.response[1] >> 12) & 0x1);