[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 28/55] hw/sd: fix out-of-bounds check for multi bloc
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 28/55] hw/sd: fix out-of-bounds check for multi block reads |
Date: |
Wed, 6 Dec 2017 13:16:21 -0600 |
From: Michael Olbrich <address@hidden>
The current code checks if the next block exceeds the size of the card.
This generates an error while reading the last block of the card.
Do the out-of-bounds check when starting to read a new block to fix this.
This issue became visible with increased error checking in Linux 4.13.
Cc: address@hidden
Signed-off-by: Michael Olbrich <address@hidden>
Reviewed-by: Alistair Francis <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 8573378e62d19e25a2434e23462ec99ef4d065ac)
Signed-off-by: Michael Roth <address@hidden>
---
hw/sd/sd.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index ba47bff4db..35347a5bbc 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1797,8 +1797,13 @@ uint8_t sd_read_data(SDState *sd)
break;
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
- if (sd->data_offset == 0)
+ if (sd->data_offset == 0) {
+ if (sd->data_start + io_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+ return 0x00;
+ }
BLK_READ_BLOCK(sd->data_start, io_len);
+ }
ret = sd->data[sd->data_offset ++];
if (sd->data_offset >= io_len) {
@@ -1812,11 +1817,6 @@ uint8_t sd_read_data(SDState *sd)
break;
}
}
-
- if (sd->data_start + io_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
- break;
- }
}
break;
--
2.11.0
- [Qemu-devel] [PATCH 23/55] memory: seek FlatView sharing candidates among children subregions, (continued)
- [Qemu-devel] [PATCH 23/55] memory: seek FlatView sharing candidates among children subregions, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 24/55] memory: Share special empty FlatView, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 27/55] memory: fix off-by-one error in memory_region_notify_one(), Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 29/55] qcow2: Fix unaligned preallocated truncation, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 25/55] exec: add page_mask for flatview_do_translate, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 26/55] exec: simplify address_space_get_iotlb_entry, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 02/55] hw/usb/bus: Remove bad object_unparent() from usb_try_create_simple(), Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 32/55] nios2: define tcg_env, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 33/55] io: monitor encoutput buffer size from websocket GSource, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 34/55] ppc: fix setting of compat mode, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 28/55] hw/sd: fix out-of-bounds check for multi block reads,
Michael Roth <=
- [Qemu-devel] [PATCH 30/55] qcow2: Always execute preallocate() in a coroutine, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 31/55] iotests: Add cluster_size=64k to 125, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 36/55] hw/intc/arm_gicv3_its: Don't abort on table save failure, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 40/55] util/stats64: Fix min/max comparisons, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 38/55] net: fix check for number of parameters to -netdev socket, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 37/55] net/socket: fix coverity issue, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 35/55] translate.c: Fix usermode big-endian AArch32 LDREXD and STREXD, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 39/55] nbd/client: Use error_prepend() correctly, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 03/55] block/mirror: check backing in bdrv_mirror_top_flush, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 41/55] virtio: Add queue interface to restore avail index from vring used index, Michael Roth, 2017/12/06