Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequen

From:	Mauro Matteo Cascella
Subject:	Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential()
Date:	Mon, 29 May 2023 09:22:46 +0200

On Sat, May 27, 2023 at 11:00 AM Michael Tokarev <mjt@tls.msk.ru> wrote:
>
> Mon, 7 Nov 2022 11:35:10 +0100, you wrote:
>  > Make sure to reset data_count if it's equal to (or exceeds) block_size.
>  > This prevents an off-by-one read / write when accessing s->fifo_buffer
>  > in sdhci_read_dataport / sdhci_write_dataport, both called right after
>  > sdhci_buff_access_is_sequential.
>  >
>  > Fixes: CVE-2022-3872
>
> ..
>
> Has this been forgotten, or maybe a better fix is needed?
>
> https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01068.html

There was a better patch proposed by Philippe:
https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01161.html

Which was later dropped due to a CI failure:
https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01504.html

Not sure what's the current status.

> Thanks,
>
> /mjt
>


--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential(), Michael Tokarev, 2023/05/27
- Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential(), Mauro Matteo Cascella <=

Prev by Date: Re: [PATCH] igb: Add Function Level Reset to PF and VF
Next by Date: Re: [PATCH v4 2/2] qapi: add '@fdset' feature for BlockdevOptionsVirtioBlkVhostVdpa
Previous by thread: Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential()
Next by thread: [PATCH 0/5] meson: replace submodules with wrap files
Index(es):
- Date
- Thread