On 30 January 2017 at 10:30, Peter Maydell <peter.mayd...@linaro.org> wrote:
> On 30 January 2017 at 06:47, P J P <ppan...@redhat.com> wrote:
>> From: Prasad J Pandit <p...@fedoraproject.org>
>>
>> While doing multi block SDMA transfer in routine
>> 'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
>> index 'begin' and data length 's->data_count' could end up to be same.
>> This could lead to an OOB access issue. Correct transfer data length
>> to avoid it.
>>
>> Reported-by: Jiang Xin <jiangx...@huawei.com>
>> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
>> ---
>> hw/sd/sdhci.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
>> index 01fbf22..5bd5ab6 100644
>> --- a/hw/sd/sdhci.c
>> +++ b/hw/sd/sdhci.c
>> @@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState
>> *s)
>> boundary_count -= block_size - begin;
>> }
>> dma_memory_read(&address_space_memory, s->sdmasysad,
>> - &s->fifo_buffer[begin], s->data_count);
>> + &s->fifo_buffer[begin], s->data_count - begin);
>> s->sdmasysad += s->data_count - begin;
>> if (s->data_count == block_size) {
>> for (n = 0; n < block_size; n++) {
>
> Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
> Cc: qemu-sta...@nongnu.org
Applied to target-arm.next, thanks.
-- PMM
