mirror of https://gitlab.com/qemu-project/qemu
790762e548
Only move the state machine to ReceivingData if there is no pending error. This avoids later OOB access while processing commands queued. "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" 4.3.3 Data Read Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. 4.3.4 Data Write Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. WP_VIOLATION errors are not modified: the error bit is set, we stay in receive-data state, wait for a stop command. All further data transfer is ignored. See the check on sd->card_status at the beginning of sd_read_data() and sd_write_data(). Fixes: CVE-2020-13253 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov <alxndr@bu.edu> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-6-f4bug@amsat.org> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile.objs | ||
| allwinner-sdhost.c | ||
| aspeed_sdhci.c | ||
| bcm2835_sdhost.c | ||
| core.c | ||
| milkymist-memcard.c | ||
| omap_mmc.c | ||
| pl181.c | ||
| pxa2xx_mmci.c | ||
| sd.c | ||
| sdhci-internal.h | ||
| sdhci-pci.c | ||
| sdhci.c | ||
| sdmmc-internal.c | ||
| sdmmc-internal.h | ||
| ssi-sd.c | ||
| trace-events | ||