poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch - openbmc/openbmc - Gitiles

 From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001
 From: Bin Meng <bmeng.cn@gmail.com>
 Date: Wed, 3 Mar 2021 20:26:38 +0800
 Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
  register is writable
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 The codes to limit the maximum block size is only necessary when
 SDHC_BLKSIZE register is writable.

 Tested-by: Alexander Bulekov <alxndr@bu.edu>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
 Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

 Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd]
 CVE: CVE-2021-3409

 Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
 ---
  hw/sd/sdhci.c | 14 +++++++-------
  1 file changed, 7 insertions(+), 7 deletions(-)

 diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
 index 7de03c6dd..6c780126e 100644
 --- a/hw/sd/sdhci.c
 +++ b/hw/sd/sdhci.c
 @@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
          if (!TRANSFERRING_DATA(s->prnsts)) {
              MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
              MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
 -        }

 -        /* Limit block size to the maximum buffer size */
 -        if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
 -            qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
 -                          "the maximum buffer 0x%x\n", __func__, s->blksize,
 -                          s->buf_maxsz);
 +            /* Limit block size to the maximum buffer size */
 +            if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
 +                qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
 +                              "the maximum buffer 0x%x\n", __func__, s->blksize,
 +                              s->buf_maxsz);

 -            s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
 +                s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
 +            }
          }

          break;
 --
 2.29.2
	From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001
	From: Bin Meng <bmeng.cn@gmail.com>
	Date: Wed, 3 Mar 2021 20:26:38 +0800
	Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
	register is writable
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	The codes to limit the maximum block size is only necessary when
	SDHC_BLKSIZE register is writable.

	Tested-by: Alexander Bulekov <alxndr@bu.edu>
	Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
	Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

	Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd]
	CVE: CVE-2021-3409

	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	---
	hw/sd/sdhci.c \| 14 +++++++-------
	1 file changed, 7 insertions(+), 7 deletions(-)

	diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
	index 7de03c6dd..6c780126e 100644
	--- a/hw/sd/sdhci.c
	+++ b/hw/sd/sdhci.c
	@@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
	if (!TRANSFERRING_DATA(s->prnsts)) {
	MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
	MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
	- }

	- /* Limit block size to the maximum buffer size */
	- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
	- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
	- "the maximum buffer 0x%x\n", __func__, s->blksize,
	- s->buf_maxsz);
	+ /* Limit block size to the maximum buffer size */
	+ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
	+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
	+ "the maximum buffer 0x%x\n", __func__, s->blksize,
	+ s->buf_maxsz);

	- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
	+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
	+ }
	}

	break;
	--
	2.29.2