qemu/hw-sd-sd-Skip-write-protect-groups-check.patch

From: Bin Meng <bin.meng@windriver.com>
Date: Tue, 16 Feb 2021 23:02:22 +0800
Subject: hw/sd: sd: Skip write protect groups check in sd_erase() for high
 capacity cards
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Git-commit: 2473dc4022458dcc05ec367ce97edbef29d7e50c
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409

High capacity cards don't support write protection hence we should
not perform the write protect groups check in sd_erase() for them.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210216150225.27996-6-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/sd/sd.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index ac48140251de7845a01ab4ad656c..a4ea365f4a74afd30dee5b16eebe 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -781,6 +781,7 @@ static void sd_erase(SDState *sd)
     int i;
     uint64_t erase_start = sd->erase_start;
     uint64_t erase_end = sd->erase_end;
+    bool sdsc = true;
 
     trace_sdcard_erase(sd->erase_start, sd->erase_end);
     if (sd->erase_start == INVALID_ADDRESS
@@ -795,6 +796,7 @@ static void sd_erase(SDState *sd)
         /* High capacity memory card: erase units are 512 byte blocks */
         erase_start *= 512;
         erase_end *= 512;
+        sdsc = false;
     }
 
     if (sd->erase_start > sd->size || sd->erase_end > sd->size) {
@@ -804,16 +806,20 @@ static void sd_erase(SDState *sd)
         return;
     }
 
-    erase_start = sd_addr_to_wpnum(erase_start);
-    erase_end = sd_addr_to_wpnum(erase_end);
     sd->erase_start = INVALID_ADDRESS;
     sd->erase_end = INVALID_ADDRESS;
     sd->csd[14] |= 0x40;
 
-    for (i = erase_start; i <= erase_end; i++) {
-        assert(i < sd->wpgrps_size);
-        if (test_bit(i, sd->wp_groups)) {
-            sd->card_status |= WP_ERASE_SKIP;
+    /* Only SDSC cards support write protect groups */
+    if (sdsc) {
+        erase_start = sd_addr_to_wpnum(erase_start);
+        erase_end = sd_addr_to_wpnum(erase_end);
+
+        for (i = erase_start; i <= erase_end; i++) {
+            assert(i < sd->wpgrps_size);
+            if (test_bit(i, sd->wp_groups)) {
+                sd->card_status |= WP_ERASE_SKIP;
+            }
         }
     }
 }
Accepting request 882222 from home:bfrogers:branches:Virtualization - Switch method of splitting off hw-s390x-virtio-gpu-ccw.so as a module to what was accepted upstream (bsc#1181103) * Patches dropped: hw-s390x-modularize-virtio-gpu-ccw.patch * Patches added: s390x-add-have_virtio_ccw.patch s390x-modularize-virtio-gpu-ccw.patch s390x-move-S390_ADAPTER_SUPPRESSIBLE.patch - Fix OOB access in sdhci interface (CVE-2020-17380, bsc#1175144, CVE-2020-25085, bsc#1176681, CVE-2021-3409, bsc#1182282) hw-sd-sd-Actually-perform-the-erase-oper.patch hw-sd-sd-Fix-build-error-when-DEBUG_SD-i.patch hw-sd-sdhci-Correctly-set-the-controller.patch hw-sd-sdhci-Don-t-transfer-any-data-when.patch hw-sd-sdhci-Don-t-write-to-SDHC_SYSAD-re.patch hw-sd-sdhci-Limit-block-size-only-when-S.patch hw-sd-sdhci-Reset-the-data-pointer-of-s-.patch hw-sd-sd-Move-the-sd_block_-read-write-a.patch hw-sd-sd-Skip-write-protect-groups-check.patch - Fix potential privilege escalation in virtiofsd tool (CVE-2021-20263, bsc#1183373) tools-virtiofsd-Replace-the-word-whiteli.patch viriofsd-Add-support-for-FUSE_HANDLE_KIL.patch virtiofsd-extract-lo_do_open-from-lo_ope.patch virtiofsd-optionally-return-inode-pointe.patch virtiofsd-prevent-opening-of-special-fil.patch virtiofs-drop-remapped-security.capabili.patch virtiofsd-Save-error-code-early-at-the-f.patch - Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968) net-introduce-qemu_receive_packet.patch rtl8139-switch-to-use-qemu_receive_packe.patch - Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416) cadence_gem-switch-to-use-qemu_receive_p.patch dp8393x-switch-to-use-qemu_receive_packe.patch e1000-switch-to-use-qemu_receive_packet-.patch lan9118-switch-to-use-qemu_receive_packe.patch msf2-mac-switch-to-use-qemu_receive_pack.patch pcnet-switch-to-use-qemu_receive_packet-.patch sungem-switch-to-use-qemu_receive_packet.patch tx_pkt-switch-to-use-qemu_receive_packet.patch - Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686) memory-clamp-cached-translation-in-case-.patch - Include upstream patches designated as stable material and reviewed for applicability to include here hw-arm-virt-Disable-pl011-clock-migratio.patch xen-block-Fix-removal-of-backend-instanc.patch - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) OBS-URL: https://build.opensuse.org/request/show/882222 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=632 2021-03-30 22:27:28 +02:00			`From: Bin Meng <bin.meng@windriver.com>`
			`Date: Tue, 16 Feb 2021 23:02:22 +0800`
			`Subject: hw/sd: sd: Skip write protect groups check in sd_erase() for high`
			`capacity cards`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Git-commit: 2473dc4022458dcc05ec367ce97edbef29d7e50c`
			`References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085`
			`References: bsc#1182282, CVE-2021-3409`

			`High capacity cards don't support write protection hence we should`
			`not perform the write protect groups check in sd_erase() for them.`

			`Signed-off-by: Bin Meng <bin.meng@windriver.com>`
			`Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>`
			`Message-Id: <20210216150225.27996-6-bmeng.cn@gmail.com>`
			`Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>`
			`Signed-off-by: Bruce Rogers <brogers@suse.com>`
			`---`
			`hw/sd/sd.c \| 18 ++++++++++++------`
			`1 file changed, 12 insertions(+), 6 deletions(-)`

			`diff --git a/hw/sd/sd.c b/hw/sd/sd.c`
			`index ac48140251de7845a01ab4ad656c..a4ea365f4a74afd30dee5b16eebe 100644`
			`--- a/hw/sd/sd.c`
			`+++ b/hw/sd/sd.c`
			`@@ -781,6 +781,7 @@ static void sd_erase(SDState *sd)`
			`int i;`
			`uint64_t erase_start = sd->erase_start;`
			`uint64_t erase_end = sd->erase_end;`
			`+ bool sdsc = true;`

			`trace_sdcard_erase(sd->erase_start, sd->erase_end);`
			`if (sd->erase_start == INVALID_ADDRESS`
			`@@ -795,6 +796,7 @@ static void sd_erase(SDState *sd)`
			`/* High capacity memory card: erase units are 512 byte blocks */`
			`erase_start *= 512;`
			`erase_end *= 512;`
			`+ sdsc = false;`
			`}`

			`if (sd->erase_start > sd->size \|\| sd->erase_end > sd->size) {`
			`@@ -804,16 +806,20 @@ static void sd_erase(SDState *sd)`
			`return;`
			`}`

			`- erase_start = sd_addr_to_wpnum(erase_start);`
			`- erase_end = sd_addr_to_wpnum(erase_end);`
			`sd->erase_start = INVALID_ADDRESS;`
			`sd->erase_end = INVALID_ADDRESS;`
			`sd->csd[14] \|= 0x40;`

			`- for (i = erase_start; i <= erase_end; i++) {`
			`- assert(i < sd->wpgrps_size);`
			`- if (test_bit(i, sd->wp_groups)) {`
			`- sd->card_status \|= WP_ERASE_SKIP;`
			`+ /* Only SDSC cards support write protect groups */`
			`+ if (sdsc) {`
			`+ erase_start = sd_addr_to_wpnum(erase_start);`
			`+ erase_end = sd_addr_to_wpnum(erase_end);`
			`+`
			`+ for (i = erase_start; i <= erase_end; i++) {`
			`+ assert(i < sd->wpgrps_size);`
			`+ if (test_bit(i, sd->wp_groups)) {`
			`+ sd->card_status \|= WP_ERASE_SKIP;`
			`+ }`
			`}`
			`}`
			`}`