* [PATCH] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
@ 2020-06-03 18:21 Philippe Mathieu-Daudé
0 siblings, 0 replies; only message in thread
From: Philippe Mathieu-Daudé @ 2020-06-03 18:21 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Prasad J Pandit, Philippe Mathieu-Daudé,
Alexander Bulekov, Paolo Bonzini, Philippe Mathieu-Daudé
Only SCSD cards support Class 6 (Block Oriented Write Protection)
commands.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.14 Command Functional Difference in Card Capacity Types
* Write Protected Group
SDHC and SDXC do not support write-protected groups. Issuing
CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
This patch doesn't fix CVE-2020-13253, but greatly reduce
QEMU exposure to it.
https://bugs.launchpad.net/qemu/+bug/1880822
---
hw/sd/sd.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 3c06a0ac6d..da39590f58 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -905,6 +905,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->multi_blk_cnt = 0;
}
+ if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
+ /* Only Standard Capacity cards support class 6 commands */
+ return sd_illegal;
+ }
+
switch (req.cmd) {
/* Basic commands (Class 0 and Class 1) */
case 0: /* CMD0: GO_IDLE_STATE */
--
2.21.3
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-06-03 18:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-03 18:21 [PATCH] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards Philippe Mathieu-Daudé
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.