On 2/9/21 11:54 AM, Bin Meng wrote: > At the end of sdhci_send_command(), it starts a data transfer if > the command register indicates a data is associated. However the > data transfer should only be initiated when the command execution > has succeeded. > > Cc: qemu-sta...@nongnu.org > Fixes: CVE-2020-17380 > Fixes: CVE-2020-25085 > Reported-by: Alexander Bulekov <alx...@bu.edu> > Reported-by: Sergej Schumilo (Ruhr-University Bochum) > Reported-by: Cornelius Aschermann (Ruhr-University Bochum) > Reported-by: Simon Wrner (Ruhr-University Bochum) > Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 > Signed-off-by: Bin Meng <bmeng...@gmail.com> > --- > > hw/sd/sdhci.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-)
Tested-by: Philippe Mathieu-Daudé <f4...@amsat.org>