Message ID | 20200605102230.21493-9-philmd@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | hw/sd/sdcard: Fix CVE-2020-13253 & cleanups | expand |
On Fri, 5 Jun 2020 at 11:27, Philippe Mathieu-Daudé <philmd@redhat.com> wrote: > > I/O request length can not be negative. > > Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> > --- > hw/sd/sd.c | 2 +- > hw/sd/trace-events | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/hw/sd/sd.c b/hw/sd/sd.c > index 9d51138b11..952be36399 100644 > --- a/hw/sd/sd.c > +++ b/hw/sd/sd.c > @@ -1950,7 +1950,7 @@ uint8_t sd_read_data(SDState *sd) > { > /* TODO: Append CRCs */ > uint8_t ret; > - int io_len; > + size_t io_len; size_t seems an odd choice -- we initialize it with io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len; where sd->blk_len is a uint32_t, and we use it mainly with BLK_READ_BLOCK(sd->data_start, io_len); where BLK_READ_BLOCK is a rather unnecessary macroization of sd_blk_read(), which takes a uint32_t. thanks -- PMM
diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 9d51138b11..952be36399 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1950,7 +1950,7 @@ uint8_t sd_read_data(SDState *sd) { /* TODO: Append CRCs */ uint8_t ret; - int io_len; + size_t io_len; if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) return 0x00; diff --git a/hw/sd/trace-events b/hw/sd/trace-events index 5f09d32eb2..f892c05867 100644 --- a/hw/sd/trace-events +++ b/hw/sd/trace-events @@ -52,7 +52,7 @@ sdcard_unlock(void) "" sdcard_read_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x" sdcard_write_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x" sdcard_write_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint8_t value) "%s %20s/ CMD%02d value 0x%02x" -sdcard_read_data(const char *proto, const char *cmd_desc, uint8_t cmd, int length) "%s %20s/ CMD%02d len %d" +sdcard_read_data(const char *proto, const char *cmd_desc, uint8_t cmd, size_t length) "%s %20s/ CMD%02d len %zu" sdcard_set_voltage(uint16_t millivolts) "%u mV" # milkymist-memcard.c
I/O request length can not be negative. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> --- hw/sd/sd.c | 2 +- hw/sd/trace-events | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)