[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 63/81] sd: sdhci: check data length during dma_memor
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 63/81] sd: sdhci: check data length during dma_memory_read |
Date: |
Mon, 20 Mar 2017 18:08:27 -0500 |
From: Prasad J Pandit <address@hidden>
While doing multi block SDMA transfer in routine
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
index 'begin' and data length 's->data_count' could end up to be same.
This could lead to an OOB access issue. Correct transfer data length
to avoid it.
Cc: address@hidden
Reported-by: Jiang Xin <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 42922105beb14c2fc58185ea022b9f72fb5465e9)
Signed-off-by: Michael Roth <address@hidden>
---
hw/sd/sdhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 01fbf22..5bd5ab6 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
boundary_count -= block_size - begin;
}
dma_memory_read(&address_space_memory, s->sdmasysad,
- &s->fifo_buffer[begin], s->data_count);
+ &s->fifo_buffer[begin], s->data_count - begin);
s->sdmasysad += s->data_count - begin;
if (s->data_count == block_size) {
for (n = 0; n < block_size; n++) {
--
2.7.4
- [Qemu-devel] [PATCH 70/81] qga: ignore EBUSY when freezing a filesystem, (continued)
- [Qemu-devel] [PATCH 70/81] qga: ignore EBUSY when freezing a filesystem, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 75/81] NetRxPkt: Do not try to pull more data than present, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 06/81] 9pfs: local: open/opendir: don't follow symlinks, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 59/81] target/s390x: use "qemu" cpu model in user mode, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 74/81] NetRxPkt: Fix memory corruption on VLAN header stripping, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 69/81] target-i386: correctly propagate retaddr into SVM helpers, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 08/81] 9pfs: local: llistxattr: don't follow symlinks, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 61/81] block/nfs: fix NULL pointer dereference in URI parsing, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 05/81] 9pfs: local: keep a file descriptor on the shared folder, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 64/81] vnc: do not disconnect on EAGAIN, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 63/81] sd: sdhci: check data length during dma_memory_read,
Michael Roth <=
- [Qemu-devel] [PATCH 76/81] NetRxPkt: Account buffer with ETH header in IOV length, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 66/81] block/vmdk: Fix the endian problem of buf_len and lba, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 73/81] eth: Extend vlan stripping functions, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 77/81] e1000e: correctly tear down MSI-X memory regions, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 78/81] scsi: mptsas: fix the wrong reading size in fetch request, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 81/81] thread-pool: add missing qemu_bh_cancel in completion function, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 71/81] hmp: fix block_set_io_throttle, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 72/81] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 80/81] s390x/css: reassign subchannel if schid is changed after migration, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 79/81] virtio-pci: reset modern vq meta data, Michael Roth, 2017/03/20