| From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001 |
| From: Bin Meng <bmeng.cn@gmail.com> |
| Date: Wed, 3 Mar 2021 20:26:38 +0800 |
| Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE |
| register is writable |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| The codes to limit the maximum block size is only necessary when |
| SDHC_BLKSIZE register is writable. |
| |
| Tested-by: Alexander Bulekov <alxndr@bu.edu> |
| Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> |
| Signed-off-by: Bin Meng <bmeng.cn@gmail.com> |
| Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> |
| Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> |
| |
| Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd] |
| CVE: CVE-2021-3409 |
| |
| Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> |
| --- |
| hw/sd/sdhci.c | 14 +++++++------- |
| 1 file changed, 7 insertions(+), 7 deletions(-) |
| |
| diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c |
| index 7de03c6dd..6c780126e 100644 |
| --- a/hw/sd/sdhci.c |
| +++ b/hw/sd/sdhci.c |
| @@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) |
| if (!TRANSFERRING_DATA(s->prnsts)) { |
| MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); |
| MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); |
| - } |
| |
| - /* Limit block size to the maximum buffer size */ |
| - if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { |
| - qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " |
| - "the maximum buffer 0x%x\n", __func__, s->blksize, |
| - s->buf_maxsz); |
| + /* Limit block size to the maximum buffer size */ |
| + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { |
| + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " |
| + "the maximum buffer 0x%x\n", __func__, s->blksize, |
| + s->buf_maxsz); |
| |
| - s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); |
| + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); |
| + } |
| } |
| |
| break; |
| -- |
| 2.29.2 |
| |