git.ipfire.org Git - thirdparty/qemu.git/commit

author	Philippe Mathieu-Daudé <f4bug@amsat.org>
	Thu, 4 Jun 2020 17:22:29 +0000 (19:22 +0200)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 3 Sep 2020 00:06:19 +0000 (19:06 -0500)
commit	d7fab184e98bc0d482b0203fd3333da972b7ca5f
tree	4844399e7ed0f289789e7c4ba4f37be8cee3b124	tree
parent	c8966bff5f45a09bc335686bef7b1aa4722c3e4f	commit \| diff

hw/sd/sdcard: Do not switch to ReceivingData if address is invalid

Only move the state machine to ReceivingData if there is no
pending error. This avoids later OOB access while processing
commands queued.

  "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"

  4.3.3 Data Read

  Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
  occurred and no data transfer is performed.

  4.3.4 Data Write

  Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
  occurred and no data transfer is performed.

WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().

Fixes: CVE-2020-13253
Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
(cherry picked from commit 790762e5487114341cccc5bffcec4cb3c022c3cd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>