This series includes several fixes to CVE-2020-17380, CVE-2020-25085 and CVE-2021-3409 that are heap-based buffer overflow issues existing in the sdhci model.
These CVEs are pretty much similar, and were filed using different reproducers. With this series, current known reproducers I have cannot be reproduced any more. The implementation of this model still has some issues, e.g.: some codes do not seem to strictly match the spec, but since this series only aimes to address CVEs, such issue should be fixed in a separate series in the future, if I have time :) Changes in v2: - new patch: sdhci: Limit block size only when SDHC_BLKSIZE register is writable - new patch: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed Bin Meng (6): hw/sd: sdhci: Don't transfer any data when command time out hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress hw/sd: sdhci: Correctly set the controller status for ADMA hw/sd: sdhci: Simplify updating s->prnsts in sdhci_sdma_transfer_multi_blocks() hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is writable hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed hw/sd/sdhci.c | 60 ++++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 39 insertions(+), 21 deletions(-) -- 2.7.4