ShuriZma
/
xemu
mirror of https://github.com/xemu-project/xemu.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
xemu/hw
History
Philippe Mathieu-Daudé 790762e548 hw/sd/sdcard: Do not switch to ReceivingData if address is invalid 
Only move the state machine to ReceivingData if there is no
pending error. This avoids later OOB access while processing
commands queued.

  "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"

  4.3.3 Data Read

  Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
  occurred and no data transfer is performed.

  4.3.4 Data Write

  Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
  occurred and no data transfer is performed.

WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().

Fixes: CVE-2020-13253
Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
 		2020-07-14 15:46:14 +02:00
..
9pfs virtio-9p: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
acpi qapi: Smooth another visitor error checking pattern 2020-07-10 15:18:08 +02:00
adc hw/adc/stm32f2xx_adc: Correct memory region size and access size 2020-06-05 17:23:09 +01:00
alpha sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
arm hw/arm/aspeed: Do not create and attach empty SD cards by default 2020-07-13 14:36:12 +01:00
audio audio: set default value for pcspk.iobase property 2020-07-06 17:01:11 +02:00
avr hw/avr: Add limited support for some Arduino boards 2020-07-11 11:02:05 +02:00
block xen: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
char hw/char: avr: Add limited support for USART peripheral 2020-07-11 11:02:05 +02:00
core hw/core/null-machine: Do not initialize unused chardev backends 2020-07-10 18:02:16 -04:00
cpu error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
cris sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
display Revert "vga: build virtio-gpu as module" 2020-07-11 15:53:29 +01:00
dma qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
gpio error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
hppa sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
hyperv error: Avoid unnecessary error_propagate() after error_setg() 2020-07-10 15:18:08 +02:00
i2c hw/i2c/core: Add i2c_try_create_slave() and i2c_realize_and_unref() 2020-06-26 14:30:28 +01:00
i386 * Make checkpatch say 'qemu' instead of 'kernel' (Aleksandar) 2020-07-11 16:52:24 +01:00
ide qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
input adb: add ADB bus trace events 2020-06-26 10:13:52 +01:00
intc apic: Report current_count via 'info lapic' 2020-07-10 19:26:55 -04:00
ipack qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
ipmi various: Remove unnecessary OBJECT() cast 2020-05-15 07:08:14 +02:00
isa error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
lm32 sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
m68k qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
mem error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
microblaze error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
mips error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
misc hw/misc: avr: Add limited support for power reduction device 2020-07-11 11:02:05 +02:00
moxie hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
net error: Reduce unnecessary error propagation 2020-07-10 15:18:08 +02:00
nios2 hw/nios2: exit to main CPU loop only when unmasking interrupts 2020-07-13 14:36:11 +01:00
nubus hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
nvram fw_cfg: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
openrisc sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
pci qdev: Drop qbus_set_hotplug_handler() parameter @errp 2020-07-02 06:25:29 +02:00
pci-bridge sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
pci-host xen: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
pcmcia sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
ppc error: Eliminate error_propagate() manually 2020-07-10 15:18:08 +02:00
rdma lockable: Replace locks with lock guard macros 2020-05-04 16:07:43 +01:00
riscv error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
rtc sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
rx qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
s390x error: Eliminate error_propagate() manually 2020-07-10 15:18:08 +02:00
scsi error: Avoid error_propagate() after migrate_add_blocker() 2020-07-10 15:18:08 +02:00
sd hw/sd/sdcard: Do not switch to ReceivingData if address is invalid 2020-07-14 15:46:14 +02:00
semihosting semihosting: remove the pthread include which seems unused 2020-06-10 11:29:44 +02:00
sh4 hw/sh4: Extract timer definitions to 'hw/timer/tmu012.h' 2020-06-22 18:37:12 +02:00
smbios error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
sparc qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
sparc64 qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
ssi ssi: Add ssi_realize_and_unref() 2020-07-03 16:59:44 +01:00
timer hw/timer: avr: Add limited support for 16-bit timer peripheral 2020-07-11 11:02:05 +02:00
tpm tpm: Move backend code under the 'backends/' directory 2020-06-19 07:25:55 -04:00
tricore hw: Do not initialize MachineClass::is_default to 0 2020-02-28 14:57:19 -05:00
unicore32 hw/unicore32/puv3: Use qemu_log_mask(ERROR) instead of debug printf() 2020-06-09 19:01:56 +02:00
usb usb: fix usb-host build on windows. 2020-07-13 11:46:51 +02:00
vfio error: Eliminate error_propagate() with Coccinelle, part 2 2020-07-10 15:18:08 +02:00
virtio virtio-iommu: Fix coverity issue in virtio_iommu_handle_command() 2020-07-13 14:36:08 +01:00
watchdog hw/watchdog/cmsdk-apb-watchdog: Add trace event for lock status 2020-06-23 11:39:47 +01:00
xen osdep.h: Always include <sys/signal.h> if it exists 2020-07-13 14:36:09 +01:00
xenpv trivial: Remove xenfb_enabled from sysemu.h 2020-02-04 09:00:57 +01:00
xtensa qdev: Make qdev_prop_set_drive() match the other helpers 2020-06-23 16:07:07 +02:00
Kconfig hw/avr: Add limited support for some Arduino boards 2020-07-11 11:02:05 +02:00
Makefile.objs vga: build qxl as module 2020-07-07 15:33:59 +02:00