[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 03/11] hw/sd/sdcard: Do not switch to ReceivingData if add
From: |
Peter Maydell |
Subject: |
Re: [PATCH v3 03/11] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid |
Date: |
Mon, 15 Jun 2020 15:06:17 +0100 |
On Fri, 5 Jun 2020 at 11:25, Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
>
> From: Philippe Mathieu-Daudé <f4bug@amsat.org>
>
> Only move the state machine to ReceivingData if there is no
> pending error. This avoids later OOB access while processing
> commands queued.
>
> "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
>
> 4.3.3 Data Read
>
> Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
> occurred and no data transfer is performed.
>
> 4.3.4 Data Write
>
> Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
> occurred and no data transfer is performed.
It's not clear from the spec that this should also
apply to WP_VIOLATION errors. The text about WP_VIOLATION
suggests that it is handled by aborting the data transfer
(ie set the error bit, stay in receive-data state, wait for
a stop command, but ignore all further data transfer),
which is I think distinct from "rejecting" the command.
If that theory is right then moving the check for the
ADDRESS_ERROR in this patch is correct but the WP_VIOLATION
tests should stay as they are, I think.
NB: is the buffer overrun we're trying to protect against
caused by passing sd_wp_addr() a bad address? Maybe we
should assert in sd_addr_to_wpnum() that the address is
in range, as a defence.
thanks
-- PMM
- [PATCH v3 00/11] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups, Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 01/11] MAINTAINERS: Cc qemu-block mailing list, Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 02/11] hw/sd/sdcard: Update coding style to make checkpatch.pl happy, Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 03/11] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid, Philippe Mathieu-Daudé, 2020/06/05
- Re: [PATCH v3 03/11] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid,
Peter Maydell <=
- [PATCH v3 04/11] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards, Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 05/11] hw/sd/sdcard: Update the SDState documentation, Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 06/11] hw/sd/sdcard: Simplify cmd_valid_while_locked(), Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 07/11] hw/sd/sdcard: Constify sd_crc*()'s message argument, Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 08/11] hw/sd/sdcard: Make iolen unsigned, Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 09/11] hw/sd/sdcard: Correctly display the command name in trace events, Philippe Mathieu-Daudé, 2020/06/05