On 9/2/20 6:46 PM, P J P wrote:
> +-- On Wed, 2 Sep 2020, Philippe Mathieu-Daudé wrote --+
> | > +if (s->data_count <= begin || s->data_count > s->buf_maxsz) {
> | > +break;
> | > +}
> |
> | Thanks for your patch. Note however this kind of security fix hides
+-- On Tue, 1 Sep 2020, Philippe Mathieu-Daudé wrote --+
| > ->
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
|
| This directory is 3 months old, I can't find it on the list...
| Did I missed that or did the list eat the report?
No, it was reported to [qemu-secu
+-- On Wed, 2 Sep 2020, Philippe Mathieu-Daudé wrote --+
| > +if (s->data_count <= begin || s->data_count > s->buf_maxsz) {
| > +break;
| > +}
|
| Thanks for your patch. Note however this kind of security fix hides
| the bug in the model, furthermore it make
Hi Prasad,
On 8/27/20 1:53 PM, P J P wrote:
> From: Prasad J Pandit
>
> While doing multi block SDMA, transfer block size may exceed
> the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the
> current element pointer 's->data_count' pointing out of bounds.
> Leading the subsequent DMA r/w oper
On 8/27/20 1:53 PM, P J P wrote:
> From: Prasad J Pandit
>
> While doing multi block SDMA, transfer block size may exceed
> the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the
> current element pointer 's->data_count' pointing out of bounds.
> Leading the subsequent DMA r/w operation to OOB
+-- On Sun, 30 Aug 2020, Alexander Bulekov wrote --+
| Here's a qtest reproducer for this one:
|
| cat << EOF |./i386-softmmu/qemu-system-i386 -nodefaults \
| -device sdhci-pci -device sd-card,drive=mydrive \
| -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
| -nographic -accel qtest
Here's a qtest reproducer for this one:
cat << EOF |./i386-softmmu/qemu-system-i386 -nodefaults \
-device sdhci-pci -device sd-card,drive=mydrive \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-nographic -accel qtest -qtest stdio -nographic
outl 0xcf8 0x80001001
outl 0xcfc 0x7e6f25
From: Prasad J Pandit
While doing multi block SDMA, transfer block size may exceed
the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the
current element pointer 's->data_count' pointing out of bounds.
Leading the subsequent DMA r/w operation to OOB access issue.
Add check to avoid it.
-> ht