https://github.com/qemu/qemu
Revision 1a156ae5d1fa2b8117e5e0a2bd73e21480df9bdb authored by Prasad J Pandit on 07 February 2017, 18:29:59 UTC, committed by Michael Roth on 16 March 2017, 17:10:40 UTC
While doing multi block SDMA transfer in routine 'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting index 'begin' and data length 's->data_count' could end up to be same. This could lead to an OOB access issue. Correct transfer data length to avoid it. Cc: qemu-stable@nongnu.org Reported-by: Jiang Xin <jiangxin1@huawei.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20170130064736.9236-1-ppandit@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 42922105beb14c2fc58185ea022b9f72fb5465e9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1 parent 3b8f27f
Tip revision: 1a156ae5d1fa2b8117e5e0a2bd73e21480df9bdb authored by Prasad J Pandit on 07 February 2017, 18:29:59 UTC
sd: sdhci: check data length during dma_memory_read
sd: sdhci: check data length during dma_memory_read
Tip revision: 1a156ae
| File | Mode | Size |
|---|---|---|
| audio | ||
| backends | ||
| block | ||
| bsd-user | ||
| contrib | ||
| crypto | ||
| default-configs | ||
| disas | ||
| docs | ||
| dtc @ 65cc4d2 | ||
| fpu | ||
| fsdev | ||
| gdb-xml | ||
| hw | ||
| include | ||
| io | ||
| libdecnumber | ||
| linux-headers | ||
| linux-user | ||
| migration | ||
| nbd | ||
| net | ||
| pc-bios | ||
| pixman @ 87eea99 | ||
| po | ||
| qapi | ||
| qga | ||
| qobject | ||
| qom | ||
| replay | ||
| roms | ||
| scripts | ||
| slirp | ||
| stubs | ||
| target-alpha | ||
| target-arm | ||
| target-cris | ||
| target-i386 | ||
| target-lm32 | ||
| target-m68k | ||
| target-microblaze | ||
| target-mips | ||
| target-moxie | ||
| target-openrisc | ||
| target-ppc | ||
| target-s390x | ||
| target-sh4 | ||
| target-sparc | ||
| target-tilegx | ||
| target-tricore | ||
| target-unicore32 | ||
| target-xtensa | ||
| tcg | ||
| tests | ||
| trace | ||
| ui | ||
| util | ||
| .dir-locals.el | -rw-r--r-- | 75 bytes |
| .exrc | -rw-r--r-- | 220 bytes |
| .gitignore | -rw-r--r-- | 2.0 KB |
| .gitmodules | -rw-r--r-- | 1.1 KB |
| .mailmap | -rw-r--r-- | 1.3 KB |
| .travis.yml | -rw-r--r-- | 4.3 KB |
| CODING_STYLE | -rw-r--r-- | 4.3 KB |
| COPYING | -rw-r--r-- | 17.6 KB |
| COPYING.LIB | -rw-r--r-- | 25.8 KB |
| Changelog | -rw-r--r-- | 22.6 KB |
| HACKING | -rw-r--r-- | 9.3 KB |
| LICENSE | -rw-r--r-- | 840 bytes |
| MAINTAINERS | -rw-r--r-- | 35.8 KB |
| Makefile | -rw-r--r-- | 24.1 KB |
| Makefile.objs | -rw-r--r-- | 5.3 KB |
| Makefile.target | -rw-r--r-- | 6.8 KB |
| README | -rw-r--r-- | 3.6 KB |
| VERSION | -rw-r--r-- | 6 bytes |
| accel.c | -rw-r--r-- | 4.3 KB |
| aio-posix.c | -rw-r--r-- | 12.7 KB |
| aio-win32.c | -rw-r--r-- | 10.2 KB |
| arch_init.c | -rw-r--r-- | 7.4 KB |
| async.c | -rw-r--r-- | 9.8 KB |
| atomic_template.h | -rw-r--r-- | 6.1 KB |
| balloon.c | -rw-r--r-- | 3.3 KB |
| block.c | -rw-r--r-- | 116.8 KB |
| blockdev-nbd.c | -rw-r--r-- | 4.7 KB |
| blockdev.c | -rw-r--r-- | 120.9 KB |
| blockjob.c | -rw-r--r-- | 20.2 KB |
| bootdevice.c | -rw-r--r-- | 9.2 KB |
| bt-host.c | -rw-r--r-- | 5.2 KB |
| bt-vhci.c | -rw-r--r-- | 4.5 KB |
| configure | -rwxr-xr-x | 160.3 KB |
| cpu-exec-common.c | -rw-r--r-- | 2.8 KB |
| cpu-exec.c | -rw-r--r-- | 20.8 KB |
| cpus-common.c | -rw-r--r-- | 10.1 KB |
| cpus.c | -rw-r--r-- | 43.3 KB |
| cputlb.c | -rw-r--r-- | 23.3 KB |
| device-hotplug.c | -rw-r--r-- | 2.6 KB |
| device_tree.c | -rw-r--r-- | 12.9 KB |
| disas.c | -rw-r--r-- | 11.3 KB |
| dma-helpers.c | -rw-r--r-- | 7.8 KB |
| dump.c | -rw-r--r-- | 53.2 KB |
| exec.c | -rw-r--r-- | 106.6 KB |
| gdbstub.c | -rw-r--r-- | 45.3 KB |
| hmp-commands-info.hx | -rw-r--r-- | 15.9 KB |
| hmp-commands.hx | -rw-r--r-- | 50.3 KB |
| hmp.c | -rw-r--r-- | 77.9 KB |
| hmp.h | -rw-r--r-- | 7.4 KB |
| iohandler.c | -rw-r--r-- | 3.5 KB |
| ioport.c | -rw-r--r-- | 9.0 KB |
| iothread.c | -rw-r--r-- | 5.2 KB |
| kvm-all.c | -rw-r--r-- | 64.7 KB |
| kvm-stub.c | -rw-r--r-- | 2.7 KB |
| main-loop.c | -rw-r--r-- | 13.9 KB |
| memory.c | -rw-r--r-- | 81.1 KB |
| memory_mapping.c | -rw-r--r-- | 10.5 KB |
| module-common.c | -rw-r--r-- | 113 bytes |
| monitor.c | -rw-r--r-- | 110.5 KB |
| numa.c | -rw-r--r-- | 16.4 KB |
| os-posix.c | -rw-r--r-- | 8.0 KB |
| os-win32.c | -rw-r--r-- | 3.6 KB |
| page_cache.c | -rw-r--r-- | 5.7 KB |
| qapi-schema.json | -rw-r--r-- | 126.4 KB |
| qdev-monitor.c | -rw-r--r-- | 25.2 KB |
| qdict-test-data.txt | -rw-r--r-- | 88.4 KB |
| qemu-bridge-helper.c | -rw-r--r-- | 11.0 KB |
| qemu-char.c | -rw-r--r-- | 132.1 KB |
| qemu-doc.texi | -rw-r--r-- | 92.3 KB |
| qemu-ga.texi | -rw-r--r-- | 3.2 KB |
| qemu-img-cmds.hx | -rw-r--r-- | 4.4 KB |
| qemu-img.c | -rw-r--r-- | 121.1 KB |
| qemu-img.texi | -rw-r--r-- | 25.1 KB |
| qemu-io-cmds.c | -rw-r--r-- | 57.1 KB |
| qemu-io.c | -rw-r--r-- | 15.8 KB |
| qemu-nbd.c | -rw-r--r-- | 30.6 KB |
| qemu-nbd.texi | -rw-r--r-- | 4.3 KB |
| qemu-option-trace.texi | -rw-r--r-- | 1.0 KB |
| qemu-options-wrapper.h | -rw-r--r-- | 1.0 KB |
| qemu-options.h | -rw-r--r-- | 1.4 KB |
| qemu-options.hx | -rw-r--r-- | 157.3 KB |
| qemu-seccomp.c | -rw-r--r-- | 8.9 KB |
| qemu-tech.texi | -rw-r--r-- | 12.3 KB |
| qemu-timer.c | -rw-r--r-- | 17.3 KB |
| qemu.nsi | -rw-r--r-- | 7.1 KB |
| qemu.sasl | -rw-r--r-- | 1.3 KB |
| qmp.c | -rw-r--r-- | 19.1 KB |
| qtest.c | -rw-r--r-- | 19.5 KB |
| replication.c | -rw-r--r-- | 2.5 KB |
| replication.h | -rw-r--r-- | 5.2 KB |
| rules.mak | -rw-r--r-- | 13.3 KB |
| softmmu_template.h | -rw-r--r-- | 15.2 KB |
| spice-qemu-char.c | -rw-r--r-- | 10.7 KB |
| tcg-runtime.c | -rw-r--r-- | 4.0 KB |
| tci.c | -rw-r--r-- | 36.6 KB |
| thread-pool.c | -rw-r--r-- | 9.0 KB |
| thunk.c | -rw-r--r-- | 9.0 KB |
| tpm.c | -rw-r--r-- | 7.5 KB |
| trace-events | -rw-r--r-- | 9.3 KB |
| translate-all.c | -rw-r--r-- | 64.8 KB |
| translate-all.h | -rw-r--r-- | 1.3 KB |
| translate-common.c | -rw-r--r-- | 1.7 KB |
| user-exec.c | -rw-r--r-- | 17.7 KB |
| version.rc | -rw-r--r-- | 797 bytes |
| vl.c | -rw-r--r-- | 136.3 KB |
| xen-common-stub.c | -rw-r--r-- | 334 bytes |
| xen-common.c | -rw-r--r-- | 3.8 KB |
| xen-hvm-stub.c | -rw-r--r-- | 1.2 KB |
| xen-hvm.c | -rw-r--r-- | 42.2 KB |
| xen-mapcache.c | -rw-r--r-- | 13.0 KB |
Computing file changes ...
