Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer): http://seclists.org/oss-sec/2017/q1/243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667 Patch copied from upstream source repository: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9 From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Tue, 7 Feb 2017 18:29:59 +0000 Subject: [PATCH] sd: sdhci: check data length during dma_memory_read While doing multi block SDMA transfer in routine 'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting index 'begin' and data length 's->data_count' could end up to be same. This could lead to an OOB access issue. Correct transfer data length to avoid it. Cc: qemu-stable@nongnu.org Reported-by: Jiang Xin Signed-off-by: Prasad J Pandit Reviewed-by: Peter Maydell Message-id: 20170130064736.9236-1-ppandit@redhat.com Signed-off-by: Peter Maydell --- hw/sd/sdhci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 01fbf228be..5bd5ab6319 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) boundary_count -= block_size - begin; } dma_memory_read(&address_space_memory, s->sdmasysad, - &s->fifo_buffer[begin], s->data_count); + &s->fifo_buffer[begin], s->data_count - begin); s->sdmasysad += s->data_count - begin; if (s->data_count == block_size) { for (n = 0; n < block_size; n++) { -- 2.11.1