Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer):

http://seclists.org/oss-sec/2017/q1/243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667

Patch copied from upstream source repository:

http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9

From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 7 Feb 2017 18:29:59 +0000
Subject: [PATCH] sd: sdhci: check data length during dma_memory_read

While doing multi block SDMA transfer in routine
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
index 'begin' and data length 's->data_count' could end up to be same.
This could lead to an OOB access issue. Correct transfer data length
to avoid it.

Cc: qemu-stable@nongnu.org
Reported-by: Jiang Xin <jiangxin1@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20170130064736.9236-1-ppandit@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/sd/sdhci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 01fbf228be..5bd5ab6319 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
                 boundary_count -= block_size - begin;
             }
             dma_memory_read(&address_space_memory, s->sdmasysad,
-                            &s->fifo_buffer[begin], s->data_count);
+                            &s->fifo_buffer[begin], s->data_count - begin);
             s->sdmasysad += s->data_count - begin;
             if (s->data_count == block_size) {
                 for (n = 0; n < block_size; n++) {
-- 
2.11.1

>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=d7f017d5ff5b045d8e4e18ccf4ede3a10da01906'>root</a>/<a href='/guix/log/po?id=d7f017d5ff5b045d8e4e18ccf4ede3a10da01906'>po</a>/<a href='/guix/log/po/packages?id=d7f017d5ff5b045d8e4e18ccf4ede3a10da01906'>packages</a>/<a href='/guix/log/po/packages/LINGUAS?id=d7f017d5ff5b045d8e4e18ccf4ede3a10da01906'>LINGUAS</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/po/packages/LINGUAS?id=d7f017d5ff5b045d8e4e18ccf4ede3a10da01906&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2022-06-04 17:42:54 +0200'>2022-06-04</span></td><td><a href='/guix/commit/po/packages/LINGUAS?id=809c57c872a6dd48007d1abf6d7f3dd1482ec53a'>nls: Update translations.</a><span class='msg-avail'>...<span class='msg-tooltip'>po/packages/tr.po: New file.
po/packages/LINGUAS: Add it.
</span></span></td><td>Julien Lepiller</td></tr>
<tr><td><span title='2022-04-02 18:42:36 +0200'>2022-04-02</span></td><td><a href='/guix/commit/po/packages/LINGUAS?id=8a208df17fe81fbf34f5a86cc52bb0b8e33c7b96'>nls: Update translations.</a><span class='msg-avail'>...<span class='msg-tooltip'>* po/packages/fi.po: New file.
* po/packages/LINGUAS: Add it.
</span></span></td><td>Julien Lepiller</td></tr>
<tr><td><span title='2021-09-02 04:06:52 +0200'>2021-09-02</span></td><td><a href='/guix/commit/po/packages/LINGUAS?id=1ff2092a39dc5c7c7cd9b4a0ba4b59f92e738efc'>nls: Update translations.</a><span class='msg-avail'>...<span class='msg-tooltip'>* po/packages/it.po: New file.
* po/packages/LINGUAS: Add `it'.
* po/*/*.po: Update translations.
</span></span></td><td>Julien Lepiller</td></tr>
<tr><td><span title='2021-05-10 22:27:53 -0400'>2021-05-10</span></td><td><a href='/guix/commit/po/packages/LINGUAS?id=63d26e81eea7be63caeb0eb7ca26ca1cf963ec97'>nls: New nl and oc translations for the 'packages' component.</a><span class='msg-avail'>...<span class='msg-tooltip'>* po/packages/nl.po: New file.
* po/packages/oc.po: Likewise.
* po/packages/LINGUAS: Register them.
</span></span></td><td>Maxim Cournoyer</td></tr>
<tr><td><span title='2021-04-18 21:07:24 +0200'>2021-04-18</span></td><td><a href='/guix/commit/po/packages/LINGUAS?id=a209c597e2e4e030bbaeb449779b311736026aa1'>nls: Remove 'vi' in LINGUAS</a><span class='msg-avail'>...<span class='msg-tooltip'>The po file is no longer available.

* po/packages/LINGUAS: Remove 'vi'.
</span></span></td><td>Julien Lepiller</td></tr>
<tr><td><span title='2021-04-18 13:18:22 +0200'>2021-04-18</span></td><td><a href='/guix/commit/po/packages/LINGUAS?id=0f355124af123f793bfd3011341d2d539c965884'>nls: Add Korean translation.</a><span class='msg-avail'>...<span class='msg-tooltip'>* po/doc/guix-cookbook.ko.po: New file.
* po/doc/guix-manual.ko.po: New file.
* doc/local.mk (info_TEXINFOS): Add them.
* po/doc/local.mk (DOC_PO_FILES, DOC_COOKBOOK_PO_FILES): Add them.
* po/guix/ko.po: New file.
* po/guix/LINGUAS: Add 'ko'.
* po/packages/ko.po: New file.
* po/packages/LINGUAS: Add 'ko'.
</span></span></td><td>Julien Lepiller</td></tr>
<tr><td><span title='2021-04-18 13:18:17 +0200'>2021-04-18</span></td><td><a href='/guix/commit/po/packages/LINGUAS?id=43fb84da6749a78d12ac0f13db4cecb435de7903'>nls: Add Persian translation.</a><span class='msg-avail'>...<span class='msg-tooltip'>* po/packages/fa.po: New file.
* po/packages/LINGUAS: Add 'fa'.
* po/doc/guix-cookbook.fa.po: New file.
* po/doc/guix-manual.fa.po: New file.
* po/doc/local.mk (DOC_PO_FILES, DOC_COOKBOOK_PO_FILES): Add them.
* doc/local.mk (info_TEXINFOS): Add them.
</span></span></td><td>Julien Lepiller</td></tr>
<tr><td><span title='2021-04-18 13:18:13 +0200'>2021-04-18</span></td><td><a href='/guix/commit/po/packages/LINGUAS?id=77c6c0aa577939da4d35a1ba95ea998459a3f337'>nls: Add Slovak translation.</a><span class='msg-avail'>...<span class='msg-tooltip'>* po/packages/sk.po: New file.
* po/packages/LINGUAS: Add 'sk'.
* po/doc/guix-manual.sk.po: New file.
* doc/local.mk (info_TEXINFOS): Add it.
* po/doc/local.mk (DOC_PO_FILES): Add it.
</span></span></td><td>Julien Lepiller</td></tr>

Age	Commit message (Expand)	Author
2022-06-04	nls: Update translations....po/packages/tr.po: New file. po/packages/LINGUAS: Add it.	Julien Lepiller
2022-04-02	nls: Update translations....* po/packages/fi.po: New file. * po/packages/LINGUAS: Add it.	Julien Lepiller
2021-09-02	nls: Update translations....* po/packages/it.po: New file. * po/packages/LINGUAS: Add `it'. * po//.po: Update translations.	Julien Lepiller
2021-05-10	nls: New nl and oc translations for the 'packages' component....* po/packages/nl.po: New file. * po/packages/oc.po: Likewise. * po/packages/LINGUAS: Register them.	Maxim Cournoyer
2021-04-18	nls: Remove 'vi' in LINGUAS...The po file is no longer available. * po/packages/LINGUAS: Remove 'vi'.	Julien Lepiller
2021-04-18	nls: Add Korean translation....* po/doc/guix-cookbook.ko.po: New file. * po/doc/guix-manual.ko.po: New file. * doc/local.mk (info_TEXINFOS): Add them. * po/doc/local.mk (DOC_PO_FILES, DOC_COOKBOOK_PO_FILES): Add them. * po/guix/ko.po: New file. * po/guix/LINGUAS: Add 'ko'. * po/packages/ko.po: New file. * po/packages/LINGUAS: Add 'ko'.	Julien Lepiller
2021-04-18	nls: Add Persian translation....* po/packages/fa.po: New file. * po/packages/LINGUAS: Add 'fa'. * po/doc/guix-cookbook.fa.po: New file. * po/doc/guix-manual.fa.po: New file. * po/doc/local.mk (DOC_PO_FILES, DOC_COOKBOOK_PO_FILES): Add them. * doc/local.mk (info_TEXINFOS): Add them.	Julien Lepiller
2021-04-18	nls: Add Slovak translation....* po/packages/sk.po: New file. * po/packages/LINGUAS: Add 'sk'. * po/doc/guix-manual.sk.po: New file. * doc/local.mk (info_TEXINFOS): Add it. * po/doc/local.mk (DOC_PO_FILES): Add it.	Julien Lepiller