Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails

From:	Alexander Bulekov
Subject:	Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails
Date:	Thu, 11 Feb 2021 10:49:10 -0500

On 210209 1854, Bin Meng wrote:
> At the end of sdhci_send_command(), it starts a data transfer if
> the command register indicates a data is associated. However the
> data transfer should only be initiated when the command execution
> has succeeded.
> 
> Cc: qemu-stable@nongnu.org
> Fixes: CVE-2020-17380
> Fixes: CVE-2020-25085
> Reported-by: Alexander Bulekov <alxndr@bu.edu>
> Reported-by: Sergej Schumilo (Ruhr-University Bochum)
> Reported-by: Cornelius Aschermann (Ruhr-University Bochum)
> Reported-by: Simon Wrner (Ruhr-University Bochum)

Reported-by: Muhammad Ramdhan 
(don't know how to get the email from a launchpad report)

and probably:
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418

> Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
> Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
> ---
> 
>  hw/sd/sdhci.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
> index 8ffa539..0450110 100644
> --- a/hw/sd/sdhci.c
> +++ b/hw/sd/sdhci.c
> @@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
>      SDRequest request;
>      uint8_t response[16];
>      int rlen;
> +    bool cmd_failure = false;
>  
>      s->errintsts = 0;
>      s->acmd12errsts = 0;
> @@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
>              trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
>                                     s->rspreg[1], s->rspreg[0]);
>          } else {
> +            cmd_failure = true;
>              trace_sdhci_error("timeout waiting for command response");
>              if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
>                  s->errintsts |= SDHC_EIS_CMDTIMEOUT;
> @@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
>  
>      sdhci_update_irq(s);
>  
> -    if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
> +    if (!cmd_failure && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
>          s->data_count = 0;
>          sdhci_data_transfer(s);
>      }
> -- 
> 2.7.4
>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Bin Meng, 2021/02/09
- Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Philippe Mathieu-Daudé, 2021/02/09
- Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Alistair Francis, 2021/02/10
  - Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Mauro Matteo Cascella, 2021/02/11
    - Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Philippe Mathieu-Daudé, 2021/02/11
    - Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Mauro Matteo Cascella, 2021/02/12
- Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Alexander Bulekov <=
- Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Alexander Bulekov, 2021/02/11
  - Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Alexander Bulekov, 2021/02/11
    - Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Bin Meng, 2021/02/14
    - Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails, Bin Meng, 2021/02/14

Prev by Date: Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails
Next by Date: Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails
Previous by thread: Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails
Next by thread: Re: [PATCH] hw/sd: sdhci: Do not transfer any data when command fails
Index(es):
- Date
- Thread