CVE-2022-3872: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

From:

Mauro Matteo Cascella

Subject:

[PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential()

Date:

Mon, 7 Nov 2022 11:35:10 +0100

Make sure to reset data_count if it’s equal to (or exceeds) block_size. This prevents an off-by-one read / write when accessing s->fifo_buffer in sdhci_read_dataport / sdhci_write_dataport, both called right after sdhci_buff_access_is_sequential.

Fixes: CVE-2022-3872 Reported-by: RivenDell [email protected] Reported-by: Siqi Chen [email protected] Reported-by: ningqiang [email protected] Signed-off-by: Mauro Matteo Cascella [email protected]

---

hw/sd/sdhci.c | 4 ++++ 1 file changed, 4 insertions(+)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 306070c872…aa2fd79df2 100644 — a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -978,6 +978,10 @@ static bool sdhci_can_issue_command(SDHCIState *s) static inline bool sdhci_buff_access_is_sequential(SDHCIState *s, unsigned byte_num) {

• if (s->data_count >= (s->blksize & BLOCK_SIZE_MASK)) {

•    s->data\_count = 0;
  

• }
• if ((s->data_count & 0x3) != byte_num) { trace_sdhci_error(“Non-sequential access to Buffer Data Port register” “is prohibited\n”); – 2.38.1

• [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential(), Mauro Matteo Cascella <=

  • Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential(), Mauro Matteo Cascella, 2022/11/07
  • Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential(), Philippe Mathieu-Daudé, 2022/11/07

• Prev by Date: Re: [PATCH v2 0/6] Two -Wclobbered fixes, plus other cleanup

• Next by Date: Re: [PATCH 3/3] qemu-img: Speed up checksum

• Previous by thread: Re: [PATCH 1/3] qemu-img: Add checksum command

• Next by thread: Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential()

• Index(es):

  • Date
  • Thread