From: Prasad J Pandit <[email protected]> While processing standard SD commands, the 'req.cmd' value could lead to OOB read when used as an index into 'sd_cmd_type' array. Limit 'req.cmd' value to avoid such an access.
Reported-by: Qinghao Tang <[email protected]> Signed-off-by: Prasad J Pandit <[email protected]> --- hw/sd/sd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 1a9935c..b800ced 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -668,8 +668,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, /* Not interpreting this as an app command */ sd->card_status &= ~APP_CMD; - if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc) + if (sd_cmd_type[req.cmd & 0x3F] == sd_ac + || sd_cmd_type[req.cmd & 0x3F] == sd_adtc) { rca = req.arg >> 16; + } DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state); switch (req.cmd) { -- 2.5.0
