[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 45/64] hw/sd/sdcard: Fix assertion accessing out-of-range address
From: |
Michael Roth |
Subject: |
[PATCH 45/64] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30 |
Date: |
Tue, 19 Oct 2021 09:09:25 -0500 |
From: Philippe Mathieu-Daudé <f4bug@amsat.org>
OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers the assertion added in commit 84816fb63e5
("hw/sd/sdcard: Assert if accessing an illegal group"):
qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t
sd_wpbits(SDState *, uint64_t):
Assertion `wpnum < sd->wpgrps_size' failed.
#3 0x7f62a8b22c91 in __assert_fail
#4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9
#5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38
#6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17
#7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16
#8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12
#9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9
#10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5
It is legal for the CMD30 to query for out-of-range addresses.
Such invalid addresses are simply ignored in the response (write
protection bits set to 0).
In commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal
group") we misplaced the assertion *before* we test the address is
in range. Move it *after*.
Include the qtest reproducer provided by Alexander Bulekov:
$ make check-qtest-i386
...
Running test qtest-i386/fuzz-sdcard-test
qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum <
sd->wpgrps_size' failed.
Cc: qemu-stable@nongnu.org
Reported-by: OSS-Fuzz (Issue 29225)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210802235524.3417739-3-f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
(cherry picked from commit 4ac0b72bae85cf94ae0e5153b9c2c288c71667d4)
*drop fuzz test additions, since sdcard fuzz test has functional
dependency on guest-visible change not flagged for stable:
59b63d78 ("hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT
(CMD30)")
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
hw/sd/sd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index fa6bb79b15..bc8f17ddf9 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -821,7 +821,6 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
wpnum = sd_addr_to_wpnum(addr);
for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
- assert(wpnum < sd->wpgrps_size);
if (addr >= sd->size) {
/*
* If the addresses of the last groups are outside the valid range,
@@ -829,6 +828,7 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
*/
continue;
}
+ assert(wpnum < sd->wpgrps_size);
if (test_bit(wpnum, sd->wp_groups)) {
ret |= (1 << i);
}
--
2.25.1
- [PATCH 36/64] tests: acpi: prepare for changing DSDT tables, (continued)
- [PATCH 36/64] tests: acpi: prepare for changing DSDT tables, Michael Roth, 2021/10/19
- [PATCH 37/64] acpi: pc: revert back to v5.2 PCI slot enumeration, Michael Roth, 2021/10/19
- [PATCH 38/64] tests: acpi: pc: update expected DSDT blobs, Michael Roth, 2021/10/19
- [PATCH 39/64] hw/block/nvme: align with existing style, Michael Roth, 2021/10/19
- [PATCH 40/64] hw/nvme: fix missing check for PMR capability, Michael Roth, 2021/10/19
- [PATCH 03/64] docs/system: Document the removal of "compat" property for POWER CPUs, Michael Roth, 2021/10/19
- [PATCH 41/64] hw/nvme: fix pin-based interrupt behavior (again), Michael Roth, 2021/10/19
- [PATCH 42/64] virtio-balloon: don't start free page hinting if postcopy is possible, Michael Roth, 2021/10/19
- [PATCH 43/64] hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes, Michael Roth, 2021/10/19
- [PATCH 44/64] hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT, Michael Roth, 2021/10/19
- [PATCH 45/64] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30,
Michael Roth <=
- [PATCH 46/64] audio: Never send migration section, Michael Roth, 2021/10/19
- [PATCH 47/64] target/arm: Don't skip M-profile reset entirely in user mode, Michael Roth, 2021/10/19
- [PATCH 48/64] virtio-net: fix use after unmap/free for sg, Michael Roth, 2021/10/19
- [PATCH 49/64] qemu-nbd: Change default cache mode to writeback, Michael Roth, 2021/10/19
- [PATCH 50/64] hmp: Unbreak "change vnc", Michael Roth, 2021/10/19
- [PATCH 04/64] monitor/qmp: fix race on CHR_EVENT_CLOSED without OOB, Michael Roth, 2021/10/19
- [PATCH 51/64] virtio-mem-pci: Fix memory leak when creating MEMORY_DEVICE_SIZE_CHANGE event, Michael Roth, 2021/10/19
- [PATCH 52/64] uas: add stream number sanity checks., Michael Roth, 2021/10/19
- [PATCH 53/64] usb/redir: avoid dynamic stack allocation (CVE-2021-3527), Michael Roth, 2021/10/19
- [PATCH 54/64] usb: limit combined packets to 1 MiB (CVE-2021-3527), Michael Roth, 2021/10/19