[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 53/77] hw/sd/sdcard: Do not allow invalid SD card sizes
From: |
Michael Roth |
Subject: |
[PATCH 53/77] hw/sd/sdcard: Do not allow invalid SD card sizes |
Date: |
Thu, 3 Sep 2020 15:59:11 -0500 |
From: Philippe Mathieu-Daudé <f4bug@amsat.org>
QEMU allows to create SD card with unrealistic sizes. This could
work, but some guests (at least Linux) consider sizes that are not
a power of 2 as a firmware bug and fix the card size to the next
power of 2.
While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end.
In a pair of commits we will fix CVE-2020-13253 as:
Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().
While this is the correct behavior, in case QEMU create smaller SD
cards, guests still try to access past the image size end, and QEMU
considers this is an invalid address, thus "all further data transfer
is ignored". This is wrong and make the guest looping until
eventually timeouts.
Fix by not allowing invalid SD card sizes (suggesting the expected
size as a hint):
$ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
qemu-system-arm: Invalid SD card size: 60 MiB
SD card size has to be a power of 2, e.g. 64 MiB.
You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
(note that this will lose data if you make the image smaller than it
currently is).
Cc: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
(cherry picked from commit a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/sd/sd.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 04258f1816..c34435ede4 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -32,6 +32,7 @@
#include "qemu/osdep.h"
#include "qemu/units.h"
+#include "qemu/cutils.h"
#include "hw/irq.h"
#include "hw/registerfields.h"
#include "sysemu/block-backend.h"
@@ -2091,11 +2092,35 @@ static void sd_realize(DeviceState *dev, Error **errp)
}
if (sd->blk) {
+ int64_t blk_size;
+
if (blk_is_read_only(sd->blk)) {
error_setg(errp, "Cannot use read-only drive as SD card");
return;
}
+ blk_size = blk_getlength(sd->blk);
+ if (blk_size > 0 && !is_power_of_2(blk_size)) {
+ int64_t blk_size_aligned = pow2ceil(blk_size);
+ char *blk_size_str;
+
+ blk_size_str = size_to_str(blk_size);
+ error_setg(errp, "Invalid SD card size: %s", blk_size_str);
+ g_free(blk_size_str);
+
+ blk_size_str = size_to_str(blk_size_aligned);
+ error_append_hint(errp,
+ "SD card size has to be a power of 2, e.g. %s.\n"
+ "You can resize disk images with"
+ " 'qemu-img resize <imagefile> <new-size>'\n"
+ "(note that this will lose data if you make the"
+ " image smaller than it currently is).\n",
+ blk_size_str);
+ g_free(blk_size_str);
+
+ return;
+ }
+
ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
BLK_PERM_ALL, errp);
if (ret < 0) {
--
2.17.1
- [PATCH 38/77] error: Use error_reportf_err() where appropriate, (continued)
- [PATCH 38/77] error: Use error_reportf_err() where appropriate, Michael Roth, 2020/09/03
- [PATCH 41/77] chardev/tcp: Fix error message double free error, Michael Roth, 2020/09/03
- [PATCH 42/77] qga: fix assert regression on guest-shutdown, Michael Roth, 2020/09/03
- [PATCH 36/77] hw/audio/gus: Fix registers 32-bit access, Michael Roth, 2020/09/03
- [PATCH 37/77] net/virtio: Fix failover_replug_primary() return value regression, Michael Roth, 2020/09/03
- [PATCH 43/77] util: Introduce qemu_get_host_name(), Michael Roth, 2020/09/03
- [PATCH 44/77] qga: Use qemu_get_host_name() instead of g_get_host_name(), Michael Roth, 2020/09/03
- [PATCH 45/77] docs/orangepi: Add instructions for resizing SD image to power of two, Michael Roth, 2020/09/03
- [PATCH 46/77] tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd', Michael Roth, 2020/09/03
- [PATCH 48/77] tests/acceptance: refactor boot_linux to allow code reuse, Michael Roth, 2020/09/03
- [PATCH 53/77] hw/sd/sdcard: Do not allow invalid SD card sizes,
Michael Roth <=
- [PATCH 49/77] tests/acceptance: refactor boot_linux_console test to allow code reuse, Michael Roth, 2020/09/03
- [PATCH 47/77] tests/acceptance: allow console interaction with specific VMs, Michael Roth, 2020/09/03
- [PATCH 50/77] tests/acceptance/boot_linux: Expand SD card image to power of 2, Michael Roth, 2020/09/03
- [PATCH 51/77] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards, Michael Roth, 2020/09/03
- [PATCH 52/77] hw/sd/sdcard: Simplify realize() a bit, Michael Roth, 2020/09/03
- [PATCH 04/77] 9p: Lock directory streams with a CoMutex, Michael Roth, 2020/09/03
- [PATCH 54/77] hw/sd/sdcard: Update coding style to make checkpatch.pl happy, Michael Roth, 2020/09/03
- [PATCH 55/77] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid, Michael Roth, 2020/09/03
- [PATCH 56/77] target/hppa: Free some temps in do_sub, Michael Roth, 2020/09/03
- [PATCH 57/77] tpm: tpm_spapr: Exit on TPM backend failures, Michael Roth, 2020/09/03