Hi Bin, For this series, Tested-by: Alexander Bulekov <alx...@bu.edu>
Thank you -Alex On 210216 1146, Bin Meng wrote: > This series includes several fixes to CVE-2020-17380, CVE-2020-25085 > and CVE-2021-3409 that are heap-based buffer overflow issues existing > in the sdhci model. > > These CVEs are pretty much similar, and were filed using different > reproducers. With this series, current known reproducers I have > cannot be reproduced any more. > > The implementation of this model still has some issues, e.g.: some codes > do not seem to strictly match the spec, but since this series only aimes > to address CVEs, such issue should be fixed in a separate series in the > future, if I have time :) > > Changes in v2: > - new patch: sdhci: Limit block size only when SDHC_BLKSIZE register is > writable > - new patch: sdhci: Reset the data pointer of s->fifo_buffer[] when a > different block size is programmed > > Bin Meng (6): > hw/sd: sdhci: Don't transfer any data when command time out > hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in > progress > hw/sd: sdhci: Correctly set the controller status for ADMA > hw/sd: sdhci: Simplify updating s->prnsts in > sdhci_sdma_transfer_multi_blocks() > hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is > writable > hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a > different block size is programmed > > hw/sd/sdhci.c | 60 > ++++++++++++++++++++++++++++++++++++++--------------------- > 1 file changed, 39 insertions(+), 21 deletions(-) > > -- > 2.7.4 >