OpenE2K/qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity
bc6f28995f
qemu-e2k/hw/sd
History
Bin Meng bc6f28995f hw/sd: sdhci: Correctly set the controller status for ADMA 
When an ADMA transfer is started, the codes forget to set the
controller status to indicate a transfer is in progress.

With this fix, the following 2 reproducers:

https://paste.debian.net/plain/1185136
https://paste.debian.net/plain/1185141

cannot be reproduced with the following QEMU command line:

$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
      -nodefaults -device sdhci-pci,sd-spec-version=3 \
      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
      -device sd-card,drive=mydrive -qtest stdio

Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-03-22 16:56:13 +01:00
..
allwinner-sdhost.c Use DECLARE_*CHECKER* when possible (--force mode) 2020-09-09 09:27:11 -04:00
aspeed_sdhci.c Fix SPDX-License-Identifier typos 2021-02-20 12:36:19 +01:00
bcm2835_sdhost.c Use DECLARE_*CHECKER* when possible (--force mode) 2020-09-09 09:27:11 -04:00
cadence_sdhci.c hw/sd: Add Cadence SDHCI emulation 2020-09-09 15:54:18 -07:00
core.c hw/sd: Introduce receive_ready() callback 2021-02-20 00:17:09 +01:00
Kconfig hw/sd: Add Cadence SDHCI emulation 2020-09-09 15:54:18 -07:00
meson.build hw/sd: Add Cadence SDHCI emulation 2020-09-09 15:54:18 -07:00
milkymist-memcard.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
omap_mmc.c hw/sd: Rename read/write_data() as read/write_byte() 2020-08-21 16:35:35 +02:00
pl181.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pxa2xx_mmci.c Use DECLARE_*CHECKER* when possible (--force mode) 2020-09-09 09:27:11 -04:00
sd.c hw/sd: sd: Actually perform the erase operation 2021-03-22 15:34:29 +01:00
sdhci-internal.h sd: sdhci: Implement basic vendor specific register support 2020-06-16 10:32:29 +01:00
sdhci-pci.c sd: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
sdhci.c hw/sd: sdhci: Correctly set the controller status for ADMA 2021-03-22 16:56:13 +01:00
sdmmc-internal.c sdcard: Display command name when tracing CMD/ACMD 2018-03-09 17:09:44 +00:00
sdmmc-internal.h Clean up header guards that don't match their file name 2019-05-13 08:58:55 +02:00
ssi-sd.c hw/sd: ssi-sd: Handle the rest commands with R1b response type 2021-02-20 00:17:09 +01:00
trace-events hw/sd/sdcard: Make iolen unsigned 2020-10-26 00:36:52 +01:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00