[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 0/6] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CV
|
From: |
Bin Meng |
|
Subject: |
[PATCH v2 0/6] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409 |
|
Date: |
Tue, 16 Feb 2021 11:46:48 +0800 |
This series includes several fixes to CVE-2020-17380, CVE-2020-25085
and CVE-2021-3409 that are heap-based buffer overflow issues existing
in the sdhci model.
These CVEs are pretty much similar, and were filed using different
reproducers. With this series, current known reproducers I have
cannot be reproduced any more.
The implementation of this model still has some issues, e.g.: some codes
do not seem to strictly match the spec, but since this series only aimes
to address CVEs, such issue should be fixed in a separate series in the
future, if I have time :)
Changes in v2:
- new patch: sdhci: Limit block size only when SDHC_BLKSIZE register is writable
- new patch: sdhci: Reset the data pointer of s->fifo_buffer[] when a different
block size is programmed
Bin Meng (6):
hw/sd: sdhci: Don't transfer any data when command time out
hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in
progress
hw/sd: sdhci: Correctly set the controller status for ADMA
hw/sd: sdhci: Simplify updating s->prnsts in
sdhci_sdma_transfer_multi_blocks()
hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is
writable
hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a
different block size is programmed
hw/sd/sdhci.c | 60 ++++++++++++++++++++++++++++++++++++++---------------------
1 file changed, 39 insertions(+), 21 deletions(-)
--
2.7.4
- [PATCH v2 0/6] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409,
Bin Meng <=