Re: [PATCH v3 03/11] hw/sd/sdcard: Do not switch to ReceivingData if add

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 03/11] hw/sd/sdcard: Do not switch to ReceivingData if add

From:	Peter Maydell
Subject:	Re: [PATCH v3 03/11] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
Date:	Mon, 15 Jun 2020 15:06:17 +0100

On Fri, 5 Jun 2020 at 11:25, Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
>
> From: Philippe Mathieu-Daudé <f4bug@amsat.org>
>
> Only move the state machine to ReceivingData if there is no
> pending error.  This avoids later OOB access while processing
> commands queued.
>
>   "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
>
>   4.3.3 Data Read
>
>   Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
>   occurred and no data transfer is performed.
>
>   4.3.4 Data Write
>
>   Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
>   occurred and no data transfer is performed.

It's not clear from the spec that this should also
apply to WP_VIOLATION errors. The text about WP_VIOLATION
suggests that it is handled by aborting the data transfer
(ie set the error bit, stay in receive-data state, wait for
a stop command, but ignore all further data transfer),
which is I think distinct from "rejecting" the command.

If that theory is right then moving the check for the
ADDRESS_ERROR in this patch is correct but the WP_VIOLATION
tests should stay as they are, I think.

NB: is the buffer overrun we're trying to protect against
caused by passing sd_wp_addr() a bad address? Maybe we
should assert in sd_addr_to_wpnum() that the address is
in range, as a defence.

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v3 00/11] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups, Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 01/11] MAINTAINERS: Cc qemu-block mailing list, Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 02/11] hw/sd/sdcard: Update coding style to make checkpatch.pl happy, Philippe Mathieu-Daudé, 2020/06/05
  - Re: [PATCH v3 02/11] hw/sd/sdcard: Update coding style to make checkpatch.pl happy, Peter Maydell, 2020/06/15
- [PATCH v3 03/11] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid, Philippe Mathieu-Daudé, 2020/06/05
  - Re: [PATCH v3 03/11] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid, Peter Maydell <=
- [PATCH v3 04/11] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards, Philippe Mathieu-Daudé, 2020/06/05
  - Re: [PATCH v3 04/11] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards, Peter Maydell, 2020/06/15
- [PATCH v3 05/11] hw/sd/sdcard: Update the SDState documentation, Philippe Mathieu-Daudé, 2020/06/05
  - Re: [PATCH v3 05/11] hw/sd/sdcard: Update the SDState documentation, Peter Maydell, 2020/06/15
- [PATCH v3 06/11] hw/sd/sdcard: Simplify cmd_valid_while_locked(), Philippe Mathieu-Daudé, 2020/06/05
  - Re: [PATCH v3 06/11] hw/sd/sdcard: Simplify cmd_valid_while_locked(), Peter Maydell, 2020/06/15
- [PATCH v3 07/11] hw/sd/sdcard: Constify sd_crc*()'s message argument, Philippe Mathieu-Daudé, 2020/06/05
- [PATCH v3 08/11] hw/sd/sdcard: Make iolen unsigned, Philippe Mathieu-Daudé, 2020/06/05
  - Re: [PATCH v3 08/11] hw/sd/sdcard: Make iolen unsigned, Peter Maydell, 2020/06/15
- [PATCH v3 09/11] hw/sd/sdcard: Correctly display the command name in trace events, Philippe Mathieu-Daudé, 2020/06/05

Prev by Date: [PATCH] bios-tables-test: Fix "-tpmdev: invalid option"
Next by Date: Re: [PATCH v3 05/11] hw/sd/sdcard: Update the SDState documentation
Previous by thread: [PATCH v3 03/11] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
Next by thread: [PATCH v3 04/11] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
Index(es):
- Date
- Thread