packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch
Jiajie Li 372c6f4847 fix CVE-2020-25085 & CVE-2020-25084 
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
2020-09-18 14:43:13 +08:00

26 lines
896 B
Diff
Raw Blame History

From 8b8d3992db22a583b69b6e2ae1d9cd87e2179e21 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 18 Sep 2020 10:55:22 +0800
Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field The 'Transfer
Block Size' field is 12-bit wide. See section '2.2.2 Block Size Register
(Offset 004h)' in datasheet.
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 7b80b1d9..acf482b8 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1127,7 +1127,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
break;
case SDHC_BLKSIZE:
if (!TRANSFERRING_DATA(s->prnsts)) {
- MASKED_WRITE(s->blksize, mask, value);
+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
}
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink