From: Bin Meng <[email protected]>
This series includes several fixes to CVE-2020-17380, CVE-2020-25085
and CVE-2021-3409 that are heap-based buffer overflow issues existing
in the sdhci model.
These CVEs are pretty much similar, and were filed using different
reproducers. With this series, current known reproducers I have
cannot be reproduced any more.
The implementation of this model may still have some issues, i.e.:
some codes do not strictly match the spec, but since this series
only aimes to address CVEs, such issue should be fixed in a separate
series in the future, if I have time :)
Bin Meng (4):
hw/sd: sdhci: Don't transfer any data when command time out
hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in
progress
hw/sd: sdhci: Correctly set the controller status for ADMA
hw/sd: sdhci: Simplify updating s->prnsts in
sdhci_sdma_transfer_multi_blocks()
hw/sd/sdhci.c | 34 ++++++++++++++++++++--------------
1 file changed, 20 insertions(+), 14 deletions(-)
--
2.7.4
