mirror of https://gitee.com/openkylin/qemu.git
sdhci.c: Limit the maximum block size
It is possible for the guest to set an invalid block size which is larger then the fifo_buffer[] array. This could cause a buffer overflow. To avoid this limit the maximum size of the blksize variable. Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> Reported-by: Intel Security ATR <secure@intel.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> Message-id: abe4c51f513290bbb85d1ee271cb1a3d463d7561.1444067470.git.alistair.francis@xilinx.com Suggested-by: Igor Mitsyanko <i.mitsyanko@gmail.com> Reported-by: Intel Security ATR <secure@intel.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
parent
c84b31926f
commit
9201bb9a8c
|
@ -1009,6 +1009,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
|
|||
MASKED_WRITE(s->blksize, mask, value);
|
||||
MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
|
||||
}
|
||||
|
||||
/* Limit block size to the maximum buffer size */
|
||||
if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
|
||||
qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \
|
||||
"the maximum buffer 0x%x", __func__, s->blksize,
|
||||
s->buf_maxsz);
|
||||
|
||||
s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
|
||||
}
|
||||
|
||||
break;
|
||||
case SDHC_ARGUMENT:
|
||||
MASKED_WRITE(s->argument, mask, value);
|
||||
|
|
Loading…
Reference in New Issue