sd: limit 'req.cmd' while using as an array index

While processing standard SD commands, the 'req.cmd' value could lead to OOB read when used as an index into 'sd_cmd_type' or 'sd_cmd_class' arrays. Limit 'req.cmd' value to avoid such an access. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453315857-1352-1-git-send-email-ppandit@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
qemu · Feb 11, 2016 · 97f4ed3 · 97f4ed3
1 parent 3826121
commit 97f4ed3
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
@@ -669,8 +669,10 @@ static sd_rsp_type_t sd_normal_command(SDState *sd,
     /* Not interpreting this as an app command */
     sd->card_status &= ~APP_CMD;
 
-    if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc)
+    if (sd_cmd_type[req.cmd & 0x3F] == sd_ac
+        || sd_cmd_type[req.cmd & 0x3F] == sd_adtc) {
         rca = req.arg >> 16;
+    }
 
     DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state);
     switch (req.cmd) {
@@ -1341,7 +1343,8 @@ static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
     if (req->cmd == 16 || req->cmd == 55) {
         return 1;
     }
-    return sd_cmd_class[req->cmd] == 0 || sd_cmd_class[req->cmd] == 7;
+    return sd_cmd_class[req->cmd & 0x3F] == 0
+            || sd_cmd_class[req->cmd & 0x3F] == 7;
 }
 
 int sd_do_command(SDState *sd, SDRequest *req,