[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen stable-4.10] hw/sd: fix out-of-bounds check for multi block reads

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Mon, 15 Jan 2018 22:26:34 +0000
Delivery-date: Mon, 15 Jan 2018 22:26:41 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 64f62e4e901e268696234e13357d7b978ad29f1e
Author:     Michael Olbrich <m.olbrich@xxxxxxxxxxxxxx>
AuthorDate: Fri Oct 6 16:46:47 2017 +0100
Commit:     Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Tue Dec 5 19:39:35 2017 -0600

    hw/sd: fix out-of-bounds check for multi block reads
    
    The current code checks if the next block exceeds the size of the card.
    This generates an error while reading the last block of the card.
    Do the out-of-bounds check when starting to read a new block to fix this.
    
    This issue became visible with increased error checking in Linux 4.13.
    
    Cc: qemu-stable@xxxxxxxxxx
    Signed-off-by: Michael Olbrich <m.olbrich@xxxxxxxxxxxxxx>
    Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
    Message-id: 20170916091611.10241-1-m.olbrich@xxxxxxxxxxxxxx
    Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
    (cherry picked from commit 8573378e62d19e25a2434e23462ec99ef4d065ac)
    Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
---
 hw/sd/sd.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index ba47bff..35347a5 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1797,8 +1797,13 @@ uint8_t sd_read_data(SDState *sd)
         break;
 
     case 18:   /* CMD18:  READ_MULTIPLE_BLOCK */
-        if (sd->data_offset == 0)
+        if (sd->data_offset == 0) {
+            if (sd->data_start + io_len > sd->size) {
+                sd->card_status |= ADDRESS_ERROR;
+                return 0x00;
+            }
             BLK_READ_BLOCK(sd->data_start, io_len);
+        }
         ret = sd->data[sd->data_offset ++];
 
         if (sd->data_offset >= io_len) {
@@ -1812,11 +1817,6 @@ uint8_t sd_read_data(SDState *sd)
                     break;
                 }
             }
-
-            if (sd->data_start + io_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
-                break;
-            }
         }
         break;
 
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#stable-4.10

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

Prev by Date: [Xen-changelog] [qemu-xen stable-4.10] memory: fix off-by-one error in memory_region_notify_one()
Next by Date: [Xen-changelog] [qemu-xen stable-4.10] qcow2: Fix unaligned preallocated truncation
Previous by thread: [Xen-changelog] [qemu-xen stable-4.10] memory: fix off-by-one error in memory_region_notify_one()
Next by thread: [Xen-changelog] [qemu-xen stable-4.10] qcow2: Fix unaligned preallocated truncation
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.