From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57025)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1Zk7qf-00014X-3m
	for qemu-devel@nongnu.org; Thu, 08 Oct 2015 05:51:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1Zk7pv-0002BN-Ty
	for qemu-devel@nongnu.org; Thu, 08 Oct 2015 05:50:52 -0400
Received: from mail-wi0-x22d.google.com ([2a00:1450:400c:c05::22d]:33964)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1Zk7pv-0002Av-NX
	for qemu-devel@nongnu.org; Thu, 08 Oct 2015 05:50:07 -0400
Received: by wicfx3 with SMTP id fx3so20121553wic.1
	for <qemu-devel@nongnu.org>; Thu, 08 Oct 2015 02:50:07 -0700 (PDT)
Date: Thu, 8 Oct 2015 10:50:05 +0100
From: Stefan Hajnoczi <stefanha@gmail.com>
Message-ID: <20151008095005.GC14090@stefanha-thinkpad.redhat.com>
References: <abe4c51f513290bbb85d1ee271cb1a3d463d7561.1444067470.git.alistair.francis@xilinx.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <abe4c51f513290bbb85d1ee271cb1a3d463d7561.1444067470.git.alistair.francis@xilinx.com>
Subject: Re: [Qemu-devel] [PATCH v1 1/1] sdhci.c: Limit the maximum block
	size
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Alistair Francis <alistair.francis@xilinx.com>
Cc: oleksandr.bazhaniuk@intel.com, peter.maydell@linaro.org, i.mitsyanko@gmail.com, james.l.walter@intel.com, qemu-devel@nongnu.org, armbru@redhat.com, crosthwaitepeter@gmail.com, kevin@koconnor.net, wehuang@redhat.com, jsnow@redhat.com, secure@intel.com

On Tue, Oct 06, 2015 at 10:40:41AM -0700, Alistair Francis wrote:
> It is possible for the guest to set an invalid block
> size which is larger then the fifo_buffer[] array. This
> could cause a buffer overflow.
> 
> To avoid this limit the maximum size of the blksize variable.
> 
> Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
> Suggested-by: Igor Mitsyanko <i.mitsyanko@gmail.com>
> Reported-by: Intel Security ATR <secure@intel.com>
> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> 
>  hw/sd/sdhci.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)

Thanks, applied to my block tree:
https://github.com/stefanha/qemu/commits/block

Stefan