Re: [PATCH] sd: sdhci: check data_count is within fifo_buffer

2020-09-02 Thread Philippe Mathieu-Daudé
On 9/2/20 6:46 PM, P J P wrote: > +-- On Wed, 2 Sep 2020, Philippe Mathieu-Daudé wrote --+ > | > +if (s->data_count <= begin || s->data_count > s->buf_maxsz) { > | > +break; > | > +} > | > | Thanks for your patch. Note however this kind of security fix hides

Re: [PATCH] sd: sdhci: check data_count is within fifo_buffer

2020-09-02 Thread P J P
+-- On Tue, 1 Sep 2020, Philippe Mathieu-Daudé wrote --+ | > -> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 | | This directory is 3 months old, I can't find it on the list... | Did I missed that or did the list eat the report? No, it was reported to [qemu-secu

Re: [PATCH] sd: sdhci: check data_count is within fifo_buffer

2020-09-02 Thread P J P
+-- On Wed, 2 Sep 2020, Philippe Mathieu-Daudé wrote --+ | > +if (s->data_count <= begin || s->data_count > s->buf_maxsz) { | > +break; | > +} | | Thanks for your patch. Note however this kind of security fix hides | the bug in the model, furthermore it make

Re: [PATCH] sd: sdhci: check data_count is within fifo_buffer

2020-09-02 Thread Philippe Mathieu-Daudé
Hi Prasad, On 8/27/20 1:53 PM, P J P wrote: > From: Prasad J Pandit > > While doing multi block SDMA, transfer block size may exceed > the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the > current element pointer 's->data_count' pointing out of bounds. > Leading the subsequent DMA r/w oper

Re: [PATCH] sd: sdhci: check data_count is within fifo_buffer

2020-09-01 Thread Philippe Mathieu-Daudé
On 8/27/20 1:53 PM, P J P wrote: > From: Prasad J Pandit > > While doing multi block SDMA, transfer block size may exceed > the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the > current element pointer 's->data_count' pointing out of bounds. > Leading the subsequent DMA r/w operation to OOB

Re: [PATCH] sd: sdhci: check data_count is within fifo_buffer

2020-09-01 Thread P J P
+-- On Sun, 30 Aug 2020, Alexander Bulekov wrote --+ | Here's a qtest reproducer for this one: | | cat << EOF |./i386-softmmu/qemu-system-i386 -nodefaults \ | -device sdhci-pci -device sd-card,drive=mydrive \ | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | -nographic -accel qtest

Re: [PATCH] sd: sdhci: check data_count is within fifo_buffer

2020-08-30 Thread Alexander Bulekov
Here's a qtest reproducer for this one: cat << EOF |./i386-softmmu/qemu-system-i386 -nodefaults \ -device sdhci-pci -device sd-card,drive=mydrive \ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ -nographic -accel qtest -qtest stdio -nographic outl 0xcf8 0x80001001 outl 0xcfc 0x7e6f25

[PATCH] sd: sdhci: check data_count is within fifo_buffer

2020-08-27 Thread P J P
From: Prasad J Pandit While doing multi block SDMA, transfer block size may exceed the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the current element pointer 's->data_count' pointing out of bounds. Leading the subsequent DMA r/w operation to OOB access issue. Add check to avoid it. -> ht