pool/qemu
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1e47dbc5c1
qemu/hw-sd-sdhci-Reset-the-data-pointer-of-s-.patch
Bruce Rogers 86ffd40d11 Accepting request 882222 from home:bfrogers:branches:Virtualization 
- Switch method of splitting off hw-s390x-virtio-gpu-ccw.so as a
  module to what was accepted upstream (bsc#1181103)
* Patches dropped:
  hw-s390x-modularize-virtio-gpu-ccw.patch
* Patches added:
  s390x-add-have_virtio_ccw.patch
  s390x-modularize-virtio-gpu-ccw.patch
  s390x-move-S390_ADAPTER_SUPPRESSIBLE.patch
- Fix OOB access in sdhci interface (CVE-2020-17380, bsc#1175144,
  CVE-2020-25085, bsc#1176681, CVE-2021-3409, bsc#1182282)
  hw-sd-sd-Actually-perform-the-erase-oper.patch
  hw-sd-sd-Fix-build-error-when-DEBUG_SD-i.patch
  hw-sd-sdhci-Correctly-set-the-controller.patch
  hw-sd-sdhci-Don-t-transfer-any-data-when.patch
  hw-sd-sdhci-Don-t-write-to-SDHC_SYSAD-re.patch
  hw-sd-sdhci-Limit-block-size-only-when-S.patch
  hw-sd-sdhci-Reset-the-data-pointer-of-s-.patch
  hw-sd-sd-Move-the-sd_block_-read-write-a.patch
  hw-sd-sd-Skip-write-protect-groups-check.patch
- Fix potential privilege escalation in virtiofsd tool
  (CVE-2021-20263, bsc#1183373)
  tools-virtiofsd-Replace-the-word-whiteli.patch
  viriofsd-Add-support-for-FUSE_HANDLE_KIL.patch
  virtiofsd-extract-lo_do_open-from-lo_ope.patch
  virtiofsd-optionally-return-inode-pointe.patch
  virtiofsd-prevent-opening-of-special-fil.patch
  virtiofs-drop-remapped-security.capabili.patch
  virtiofsd-Save-error-code-early-at-the-f.patch
- Fix OOB access (stack overflow) in rtl8139 NIC emulation
  (CVE-2021-3416, bsc#1182968)
  net-introduce-qemu_receive_packet.patch
  rtl8139-switch-to-use-qemu_receive_packe.patch
- Fix OOB access (stack overflow) in other NIC emulations
  (CVE-2021-3416)
  cadence_gem-switch-to-use-qemu_receive_p.patch
  dp8393x-switch-to-use-qemu_receive_packe.patch
  e1000-switch-to-use-qemu_receive_packet-.patch
  lan9118-switch-to-use-qemu_receive_packe.patch
  msf2-mac-switch-to-use-qemu_receive_pack.patch
  pcnet-switch-to-use-qemu_receive_packet-.patch
  sungem-switch-to-use-qemu_receive_packet.patch
  tx_pkt-switch-to-use-qemu_receive_packet.patch
- Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)
  memory-clamp-cached-translation-in-case-.patch
- Include upstream patches designated as stable material and
  reviewed for applicability to include here
  hw-arm-virt-Disable-pl011-clock-migratio.patch
  xen-block-Fix-removal-of-backend-instanc.patch
- Fix package scripts to not use hard coded paths for temporary
  working directories and log files (bsc#1182425)

OBS-URL: https://build.opensuse.org/request/show/882222
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=632
2021-03-30 20:27:28 +00:00

96 lines
3.3 KiB
Diff
Raw Blame History

From: Bin Meng <bmeng.cn@gmail.com>
Date: Wed, 3 Mar 2021 20:26:39 +0800
Subject: hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a
different block size is programmed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
If the block size is programmed to a different value from the
previous one, reset the data pointer of s->fifo_buffer[] so that
s->fifo_buffer[] can be filled in using the new block size in
the next transfer.
With this fix, the following reproducer:
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xe000002c 0x1 0x05
write 0xe0000005 0x1 0x02
write 0xe0000007 0x1 0x01
write 0xe0000028 0x1 0x10
write 0x0 0x1 0x23
write 0x2 0x1 0x08
write 0xe000000c 0x1 0x01
write 0xe000000e 0x1 0x20
write 0xe000000f 0x1 0x00
write 0xe000000c 0x1 0x32
write 0xe0000004 0x2 0x0200
write 0xe0000028 0x1 0x00
write 0xe0000003 0x1 0x40
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/sd/sdhci.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 51c2a3ffde21314afe2a2c84fa1b..3c35942161097989e626f5cfd887 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1141,6 +1141,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
break;
case SDHC_BLKSIZE:
if (!TRANSFERRING_DATA(s->prnsts)) {
+ uint16_t blksize = s->blksize;
+
MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
@@ -1152,6 +1154,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
}
+
+ /*
+ * If the block size is programmed to a different value from
+ * the previous one, reset the data pointer of s->fifo_buffer[]
+ * so that s->fifo_buffer[] can be filled in using the new block
+ * size in the next transfer.
+ */
+ if (blksize != s->blksize) {
+ s->data_count = 0;
+ }
}
break;
Reference in New Issue View Git Blame Copy Permalink