| Andrew Geissler | c926e17 | 2021-05-07 16:11:35 -0500 | [diff] [blame^] | 1 | From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001 |
| 2 | From: Bin Meng <bmeng.cn@gmail.com> |
| 3 | Date: Wed, 3 Mar 2021 20:26:38 +0800 |
| 4 | Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE |
| 5 | register is writable |
| 6 | MIME-Version: 1.0 |
| 7 | Content-Type: text/plain; charset=UTF-8 |
| 8 | Content-Transfer-Encoding: 8bit |
| 9 | |
| 10 | The codes to limit the maximum block size is only necessary when |
| 11 | SDHC_BLKSIZE register is writable. |
| 12 | |
| 13 | Tested-by: Alexander Bulekov <alxndr@bu.edu> |
| 14 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> |
| 15 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> |
| 16 | Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> |
| 17 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> |
| 18 | |
| 19 | Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd] |
| 20 | CVE: CVE-2021-3409 |
| 21 | |
| 22 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> |
| 23 | --- |
| 24 | hw/sd/sdhci.c | 14 +++++++------- |
| 25 | 1 file changed, 7 insertions(+), 7 deletions(-) |
| 26 | |
| 27 | diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c |
| 28 | index 7de03c6dd..6c780126e 100644 |
| 29 | --- a/hw/sd/sdhci.c |
| 30 | +++ b/hw/sd/sdhci.c |
| 31 | @@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) |
| 32 | if (!TRANSFERRING_DATA(s->prnsts)) { |
| 33 | MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); |
| 34 | MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); |
| 35 | - } |
| 36 | |
| 37 | - /* Limit block size to the maximum buffer size */ |
| 38 | - if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { |
| 39 | - qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " |
| 40 | - "the maximum buffer 0x%x\n", __func__, s->blksize, |
| 41 | - s->buf_maxsz); |
| 42 | + /* Limit block size to the maximum buffer size */ |
| 43 | + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { |
| 44 | + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " |
| 45 | + "the maximum buffer 0x%x\n", __func__, s->blksize, |
| 46 | + s->buf_maxsz); |
| 47 | |
| 48 | - s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); |
| 49 | + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); |
| 50 | + } |
| 51 | } |
| 52 | |
| 53 | break; |
| 54 | -- |
| 55 | 2.29.2 |
| 56 | |