|
From: | Philippe Mathieu-Daudé |
Subject: | Re: [PATCH 1/2] sd: check bit number before setting card_status flag |
Date: | Wed, 20 May 2020 18:40:40 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 |
Hi Prasad, On 5/20/20 5:24 PM, P J P wrote:
From: Prasad J Pandit <address@hidden> SD card emulator sets 'sd->card_status' while performing block write commands. While doing so, it tests the corresponding bit derived from 's->data_start' address. This may lead to OOB access. Add check to avoid it.
Ah, this is different that the one reported recently: https://bugs.launchpad.net/qemu/+bug/1878054 Do you have a reproducer? Is this a CVE?
Reported-by: Alex <address@hidden>
This is not Alexander complete name.
Signed-off-by: Prasad J Pandit <address@hidden> --- hw/sd/sd.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 71a9af09ab..916e9fff58 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -802,7 +802,12 @@ static void sd_function_switch(SDState *sd, uint32_t arg)static inline bool sd_wp_addr(SDState *sd, uint64_t addr){ - return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups); + uint64_t bit = sd_addr_to_wpnum(addr); + + if (bit < sd->wpgrps_size) {
This should never be called with a such address, so I'd simply use an assertion here.
The problem is earlier where the address should be validated and a protocol error returned.
+ return test_bit(bit, sd->wp_groups); + } + return true; }static void sd_lock_command(SDState *sd)
[Prev in Thread] | Current Thread | [Next in Thread] |