| Message ID | 20170130064736.9236-1-ppandit@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 30 January 2017 at 06:47, P J P <ppandit@redhat.com> wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While doing multi block SDMA transfer in routine > 'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting > index 'begin' and data length 's->data_count' could end up to be same. > This could lead to an OOB access issue. Correct transfer data length > to avoid it. > > Reported-by: Jiang Xin <jiangxin1@huawei.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/sd/sdhci.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c > index 01fbf22..5bd5ab6 100644 > --- a/hw/sd/sdhci.c > +++ b/hw/sd/sdhci.c > @@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) > boundary_count -= block_size - begin; > } > dma_memory_read(&address_space_memory, s->sdmasysad, > - &s->fifo_buffer[begin], s->data_count); > + &s->fifo_buffer[begin], s->data_count - begin); > s->sdmasysad += s->data_count - begin; > if (s->data_count == block_size) { > for (n = 0; n < block_size; n++) { Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Cc: qemu-stable@nongnu.org thanks -- PMM
On 30 January 2017 at 10:30, Peter Maydell <peter.maydell@linaro.org> wrote: > On 30 January 2017 at 06:47, P J P <ppandit@redhat.com> wrote: >> From: Prasad J Pandit <pjp@fedoraproject.org> >> >> While doing multi block SDMA transfer in routine >> 'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting >> index 'begin' and data length 's->data_count' could end up to be same. >> This could lead to an OOB access issue. Correct transfer data length >> to avoid it. >> >> Reported-by: Jiang Xin <jiangxin1@huawei.com> >> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> >> --- >> hw/sd/sdhci.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c >> index 01fbf22..5bd5ab6 100644 >> --- a/hw/sd/sdhci.c >> +++ b/hw/sd/sdhci.c >> @@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) >> boundary_count -= block_size - begin; >> } >> dma_memory_read(&address_space_memory, s->sdmasysad, >> - &s->fifo_buffer[begin], s->data_count); >> + &s->fifo_buffer[begin], s->data_count - begin); >> s->sdmasysad += s->data_count - begin; >> if (s->data_count == block_size) { >> for (n = 0; n < block_size; n++) { > > Reviewed-by: Peter Maydell <peter.maydell@linaro.org> > Cc: qemu-stable@nongnu.org Applied to target-arm.next, thanks. -- PMM
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 01fbf22..5bd5ab6 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) boundary_count -= block_size - begin; } dma_memory_read(&address_space_memory, s->sdmasysad, - &s->fifo_buffer[begin], s->data_count); + &s->fifo_buffer[begin], s->data_count - begin); s->sdmasysad += s->data_count - begin; if (s->data_count == block_size) { for (n = 0; n < block_size; n++) {