Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
qemu.20756
0143-sd-sdhci-check-data-length-during-d.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0143-sd-sdhci-check-data-length-during-d.patch of Package qemu.20756
From: P J P <ppandit@redhat.com> Date: Mon, 30 Jan 2017 10:39:18 -0700 Subject: sd: sdhci: check data length during dma_memory_read While doing multi block SDMA transfer in routine 'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting index 'begin' and data length 's->data_count' could end up to be same. This could lead to an OOB access issue. Correct transfer data length to avoid it. Reported-by: Jiang Xin <jiangxin1@huawei.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> [BR: CVE-2017-5667 BSC#1022541] Signed-off-by: Bruce Rogers <brogers@suse.com> --- hw/sd/sdhci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index d28b5871fc15815dda2f6e225d94..f4cf5c7c5035b53b8ff4da54e1ca 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -535,7 +535,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) boundary_count -= block_size - begin; } dma_memory_read(&address_space_memory, s->sdmasysad, - &s->fifo_buffer[begin], s->data_count); + &s->fifo_buffer[begin], s->data_count - begin); s->sdmasysad += s->data_count - begin; if (s->data_count == block_size) { for (n = 0; n < block_size; n++) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor