On 30 January 2017 at 06:47, P J P <ppan...@redhat.com> wrote:
> From: Prasad J Pandit <p...@fedoraproject.org>
>
> While doing multi block SDMA transfer in routine
> 'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
> index 'begin' and data length 's->data_count' could end up to be same.
> This could lead to an OOB access issue. Correct transfer data length
> to avoid it.
>
> Reported-by: Jiang Xin <jiangx...@huawei.com>
> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> ---
> hw/sd/sdhci.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
> index 01fbf22..5bd5ab6 100644
> --- a/hw/sd/sdhci.c
> +++ b/hw/sd/sdhci.c
> @@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState
> *s)
> boundary_count -= block_size - begin;
> }
> dma_memory_read(&address_space_memory, s->sdmasysad,
> - &s->fifo_buffer[begin], s->data_count);
> + &s->fifo_buffer[begin], s->data_count - begin);
> s->sdmasysad += s->data_count - begin;
> if (s->data_count == block_size) {
> for (n = 0; n < block_size; n++) {
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
Cc: qemu-sta...@nongnu.org
thanks
-- PMM
