[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] sd: check bit number before setting card_status flag

From: Philippe Mathieu-Daudé
Subject: Re: [PATCH 1/2] sd: check bit number before setting card_status flag
Date: Wed, 20 May 2020 18:40:40 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0

Hi Prasad,

On 5/20/20 5:24 PM, P J P wrote:
From: Prasad J Pandit <address@hidden>

SD card emulator sets 'sd->card_status' while performing block
write commands. While doing so, it tests the corresponding bit
derived from 's->data_start' address. This may lead to OOB access.
Add check to avoid it.

Ah, this is different that the one reported recently:

Do you have a reproducer?

Is this a CVE?

Reported-by: Alex <address@hidden>

This is not Alexander complete name.

Signed-off-by: Prasad J Pandit <address@hidden>
  hw/sd/sd.c | 7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 71a9af09ab..916e9fff58 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -802,7 +802,12 @@ static void sd_function_switch(SDState *sd, uint32_t arg)
static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
-    return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
+    uint64_t bit = sd_addr_to_wpnum(addr);
+    if (bit < sd->wpgrps_size) {

This should never be called with a such address, so I'd simply use an assertion here.

The problem is earlier where the address should be validated and a protocol error returned.

+        return test_bit(bit, sd->wp_groups);
+    }
+    return true;
static void sd_lock_command(SDState *sd)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]