From nobody Tue Nov 18 22:47:31 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1613447348; cv=none; d=zohomail.com; s=zohoarc; b=AP35xm7Dkyh5nL6rXH6cDmcaSFCLociRxTZHl0qjP3q741mZji5DCOE2dVT774YQttKh0BKNraWwxlgvMFjF8qCpIc4TeN9CAfUK48bdOqyjreuR+OOH6F7g2qry3q+3foPS6yPJtGwyzmnu3frp2S6Qh4nFZc93nvRcUKVLMrI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1613447348; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=zZQDO++92M3qxl7NSslDMEn/+L4YLdJGAH7lA2nRn3Y=; b=VMdu6F7RSkIcV8z73tiV783rlkGUs/BOiB+gYnYjeeCq0GixRPGdInDxm/qs43t+UaHuVabLlN/1SO2V0wmkGUlVX5Dh6BX5XpDOmwSgb0/yvnrH7n3D/6GhQFu6265se8uIz/TLG5WTiqkDUNcf6qQVL1i2c3XZ7b1gg8Ifu/4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1613447347947753.2982598023871; Mon, 15 Feb 2021 19:49:07 -0800 (PST) Received: from localhost ([::1]:40736 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lBrMI-0002OT-TL for importer@patchew.org; Mon, 15 Feb 2021 22:49:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34020) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lBrKY-0000pj-Jk; Mon, 15 Feb 2021 22:47:18 -0500 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]:46381) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lBrKW-0002UM-QX; Mon, 15 Feb 2021 22:47:18 -0500 Received: by mail-ed1-x529.google.com with SMTP id y18so10464084edw.13; Mon, 15 Feb 2021 19:47:15 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id z19sm12837866edr.69.2021.02.15.19.47.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Feb 2021 19:47:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=zZQDO++92M3qxl7NSslDMEn/+L4YLdJGAH7lA2nRn3Y=; b=on8YFPHJmc/I6eA6AkEVflmhKW9tVmQH1XBV3Ts+IBcO1EzQ7Glmk8NDXV7FYcGnRQ an91o98lKB5k3XiaC9pB9vnmzWAqUAa2N31yvMa7xn44fSoLbw+erwDMjCaJpXTqeQ9z cgwXoM0EMKLOPBDOJplA7gm7HYfEtmZZglJR0AcSkKvpFnRwc3zE7VtbMTFV0mr2gtLw y1NXEPbJwlTa15HyKaE0fK/42QW0d5tsQIGa3gpZDua0CeLBfJ6zN6SURoMJasFAFC7s z9cXGfruBZzddq0KLX64nvuIVl6hLXrmJ4b3B5VAwaQfnIr/3UfE1q7NPP1w+it7aGt7 buSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zZQDO++92M3qxl7NSslDMEn/+L4YLdJGAH7lA2nRn3Y=; b=lgdJjFtddFEmH4dEnKponSz+R+WAkphuDNaJp9CH3tcAqbUePJU5Dwe5lpH0NTbhem f23Kq+BL3wMKTL7ZPjmB9CPIozygcZ22raXMCsACwFZqfbJ24c0XSzC4cylAKNK/mHTh 8JJCHztSz0twCY9nS6sjNyYFYyfjq7J2XhvrhTV4gqFiRV71ce0rJyLtTbOOV8mYX+Uq wgqaXJjjLkX+FO2ubVz6wxQQx4JTJCaHfz9ZO89s0oLOF7esbwzktVhO5q6prtejZceY Vtgrfcz3p/UrtLuE6pQ6SjLIMJcho+BFB6RpU/DDDEtQtVXlekGErIDxqDlgCj1lIH1h e+sQ== X-Gm-Message-State: AOAM532kKSKvqbDPIr6ELKq1C4pzJ85ILWE1GNdfCDBBUTfMMwBJGGWL S/DNXuGhlEFsT297Bxde1ZY= X-Google-Smtp-Source: ABdhPJxOnCeI0E5vOyYlCkQ2WzTlESTrLtwCGiPMMwTwsr+O67j9nuiVPzwPIyrBjjwmo4KyVOShCQ== X-Received: by 2002:a50:b742:: with SMTP id g60mr18561819ede.113.1613447234449; Mon, 15 Feb 2021 19:47:14 -0800 (PST) From: Bin Meng To: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v2 1/6] hw/sd: sdhci: Don't transfer any data when command time out Date: Tue, 16 Feb 2021 11:46:49 +0800 Message-Id: <1613447214-81951-2-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> References: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::529; envelope-from=bmeng.cn@gmail.com; helo=mail-ed1-x529.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @gmail.com) At the end of sdhci_send_command(), it starts a data transfer if the command register indicates data is associated. But the data transfer should only be initiated when the command execution has succeeded. With this fix, the following reproducer: outl 0xcf8 0x80001810 outl 0xcfc 0xe1068000 outl 0xcf8 0x80001804 outw 0xcfc 0x7 write 0xe106802c 0x1 0x0f write 0xe1068004 0xc 0x2801d10101fffffbff28a384 write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f6051= 4233241505f write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c8= 0d000255a80d000256880d0002576 write 0xe1068003 0x1 0xfe cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ -device sdhci-pci,sd-spec-version=3D3 \ -drive if=3Dsd,index=3D0,file=3Dnull-co://,format=3Draw,id=3Dmydrive \ -device sd-card,drive=3Dmydrive \ -monitor none -serial none -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1928146 Signed-off-by: Bin Meng Acked-by: Alistair Francis Tested-by: Alexander Bulekov Tested-by: Philippe Mathieu-Daud=C3=A9 --- (no changes since v1) hw/sd/sdhci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 8ffa539..1c5ab26 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s) SDRequest request; uint8_t response[16]; int rlen; + bool timeout =3D false; =20 s->errintsts =3D 0; s->acmd12errsts =3D 0; @@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s) trace_sdhci_response16(s->rspreg[3], s->rspreg[2], s->rspreg[1], s->rspreg[0]); } else { + timeout =3D true; trace_sdhci_error("timeout waiting for command response"); if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { s->errintsts |=3D SDHC_EIS_CMDTIMEOUT; @@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s) =20 sdhci_update_irq(s); =20 - if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { + if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { s->data_count =3D 0; sdhci_data_transfer(s); } --=20 2.7.4 From nobody Tue Nov 18 22:47:31 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1613447370; cv=none; d=zohomail.com; s=zohoarc; b=V7SfS2fQfe4AgmjMK42EI+oRBxnlUamQXgm+ftZZzR+Q5+/Vrppt29E5X5N/58RMqm4NN6xCUdGqdsY24wTGSzH/g2CSDoxKuxH33tTtkfBVnoTCirRRBqnMd0Mm4D8QSvO7DXRvmfdVktYaxxfl5+m2jyKjjKc21GUg6NxCFxs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1613447370; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=z10+XB1F0+fTsGOFREXF6M/rN3WUhpA4tnZPLdlyDwA=; b=IGE/7/csrijM6Mh1vqC4+oQvnkBkgdC9Iqd1x5/rg0l8ZqhnkvBILbHDWVk4jn3zqF9cGsniJSA1T66vhro4r1ZWjBL6boXzx59Xdr7Uex6mSSt+wD0TGpVBK9gj3RGHp7qojvy85+x58lI/hlq8m+9HwkdBU1xz9MVir6NGEqQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1613447369842389.56438146946823; Mon, 15 Feb 2021 19:49:29 -0800 (PST) Received: from localhost ([::1]:41462 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lBrMd-0002hK-S9 for importer@patchew.org; Mon, 15 Feb 2021 22:49:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34046) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lBrKe-00012N-D7; Mon, 15 Feb 2021 22:47:24 -0500 Received: from mail-ej1-x636.google.com ([2a00:1450:4864:20::636]:44596) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lBrKc-0002Y8-Ez; Mon, 15 Feb 2021 22:47:24 -0500 Received: by mail-ej1-x636.google.com with SMTP id w1so14361112ejf.11; Mon, 15 Feb 2021 19:47:21 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id z19sm12837866edr.69.2021.02.15.19.47.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Feb 2021 19:47:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=z10+XB1F0+fTsGOFREXF6M/rN3WUhpA4tnZPLdlyDwA=; b=U1XkltPMUYqVcSYG3+NF9RpHAvydFFVqhzLFUdfsz2yPONYTFHafdcYPHP1o1jfamx 7hFGODN24U2xL8I3bNO/Ge7j5DUTuiJnrzhZTGfEuJNXxff221Bz43ZPbJZ3Lu8NExWf 7kuNMuAf8e1T9us4C+IpgNYMYDAD0OWWeq9Y9+fa4RXxC9QHFoxZpR2xAaDMjsacu94d JwmoOFGX2ht36XIgJErAyInQVGlmqDCs4nrFbN5KvJrl6xyV7hBX3kXhyAPg/kUpQ+ON EU5i+fiMqM3VXiS3vorfB3SuxGy8LzGwWw/r9j4p+mFZRO+1mfLl361/wZ82xYe9SxYT vi1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=z10+XB1F0+fTsGOFREXF6M/rN3WUhpA4tnZPLdlyDwA=; b=e7x7f823VS4owo8+sKWgPbp9ObJ0gJpRw9BohJEufb1qmlYH8Q2pb6NpTF8MhyBS2y SpT2ZeSkyzEDyPg7WoWwIeajEu58Xyxu7WafNOAX1R7C5EsEVZtuuBzlUXAk6vEEdCxL 303YhyxCp8OkQ+kkCjn9dy8jrPm+JR45DO12qlhc9C2TaH7iu6TgI4E3LchoJq2I5nHE wkJKLupvaEdQwxwcKpao2DT4RCZMZ5CZOpfofI2hUfTSvcs85Ibbm95d6syX/946HhDQ CuL4BeNCmohqkND5l3xRqN9mCJ9VgDN9FHLER9dvqNIslUxZABWLDqm2QCvDYzXD3wZj xPdg== X-Gm-Message-State: AOAM533oXb9XMvSbv35waBjsSSuy9LRPZqcHLF8G11oc6GDRNfmI5R1f XWUSDNSh6b2YXwlBptkmHJA= X-Google-Smtp-Source: ABdhPJxPBL6B/csP+80ZjM+HImwmDocVHiSYegX9px2YGL7O9C6jrru+VujqR/mKoDlckfc5TdMp/w== X-Received: by 2002:a17:906:5953:: with SMTP id g19mr3827470ejr.474.1613447240264; Mon, 15 Feb 2021 19:47:20 -0800 (PST) From: Bin Meng To: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v2 2/6] hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress Date: Tue, 16 Feb 2021 11:46:50 +0800 Message-Id: <1613447214-81951-3-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> References: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::636; envelope-from=bmeng.cn@gmail.com; helo=mail-ej1-x636.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @gmail.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Per "SD Host Controller Standard Specification Version 7.00" chapter 2.2.1 SDMA System Address Register: This register can be accessed only if no transaction is executing (i.e., after a transaction has stopped). With this fix, the following reproducer: https://paste.debian.net/plain/1185137 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=3Dqtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3D3 \ -drive if=3Dsd,index=3D0,file=3Dnull-co://,format=3Draw,id=3Dmydrive= \ -device sd-card,drive=3Dmydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1928146 Signed-off-by: Bin Meng Tested-by: Alexander Bulekov --- (no changes since v1) hw/sd/sdhci.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 1c5ab26..05cb281 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1122,15 +1122,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t v= al, unsigned size) =20 switch (offset & ~0x3) { case SDHC_SYSAD: - s->sdmasysad =3D (s->sdmasysad & mask) | value; - MASKED_WRITE(s->sdmasysad, mask, value); - /* Writing to last byte of sdmasysad might trigger transfer */ - if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blk= cnt && - s->blksize && SDHC_DMA_TYPE(s->hostctl1) =3D=3D SDHC_CTRL_= SDMA) { - if (s->trnmod & SDHC_TRNS_MULTI) { - sdhci_sdma_transfer_multi_blocks(s); - } else { - sdhci_sdma_transfer_single_block(s); + if (!TRANSFERRING_DATA(s->prnsts)) { + s->sdmasysad =3D (s->sdmasysad & mask) | value; + MASKED_WRITE(s->sdmasysad, mask, value); + /* Writing to last byte of sdmasysad might trigger transfer */ + if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && + SDHC_DMA_TYPE(s->hostctl1) =3D=3D SDHC_CTRL_SDMA) { + if (s->trnmod & SDHC_TRNS_MULTI) { + sdhci_sdma_transfer_multi_blocks(s); + } else { + sdhci_sdma_transfer_single_block(s); + } } } break; --=20 2.7.4 From nobody Tue Nov 18 22:47:31 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1613447445183406.0004374194699; Mon, 15 Feb 2021 19:50:45 -0800 (PST) Received: from localhost ([::1]:48936 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lBrNs-0005mF-6X for importer@patchew.org; Mon, 15 Feb 2021 22:50:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34058) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lBrKk-0001Ex-1j; Mon, 15 Feb 2021 22:47:30 -0500 Received: from mail-ej1-x630.google.com ([2a00:1450:4864:20::630]:32889) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lBrKi-0002bb-2z; Mon, 15 Feb 2021 22:47:29 -0500 Received: by mail-ej1-x630.google.com with SMTP id jt13so14492566ejb.0; Mon, 15 Feb 2021 19:47:27 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id z19sm12837866edr.69.2021.02.15.19.47.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Feb 2021 19:47:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=oHNEb+qV5J/dMuxCdQI4vMzHRdDunuvvJ/n3BHngy4w=; b=gquck7oAI5TFTg/RmtY0y1wSIHSrEGEgbHcsRL4uxXDzheYaWfQCmhPByc2P7BJFWB fdfDqL1CSZIngfHAVm2jw1ebWqbxL70SFAxotAHh0WMLbKF8p/vTJAhnfGKlAnGa4TP6 +pRraL5+r2CKxCFFswpUXWCUdWWcjEWJLBFAWI22npUwvlMuGjGbbf0ogfcO7y9pFKES BRP64fGFv6KIrlp4ZlFIbbh4GNeAWQR6f7uZwEW1mmDPxn3zfxY+yylfO8G9/d0A4nEl 91t0Rjg6sGRFZjCAxLn6d0AdW+hkB1rQg1wuiklsQnY/L5zv26fklbncIwyaDanx102c gOWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=oHNEb+qV5J/dMuxCdQI4vMzHRdDunuvvJ/n3BHngy4w=; b=JPBpvdEO3/q1FS2ZW+sE2+pEllE3YMC/Ept314IjbIzRF9pYOEpGQqAsRXic5OD9Ab dR9rDCuQusyKoqBUdDrBq06e8vJdf7uFlj/BH3Qsj8mGt9lB2fU31zkF1bqX+/0TRjvB hh0d5IX1LWpQoG66KXSKQ1FiFT8+3Gobl19FknSv65civa2jHsp0e9c/ItfwwDpu1ItF xumCFET6zngeYDoRiBvuRmdfPndS4FZWOAo9DkyRc22ylQUe7fS9IyFh6hcy7+1mCzjh KLeUIWq5apqg9KIW26DvWL9V9XmCjF5SKCOfZsx/yGJFpBUGdWdYuRCu7JUQc6rhF9s4 WVyA== X-Gm-Message-State: AOAM533WTMdcLiw7Px5qQNVpcl3eFKhijH5/TWdBP33y9DWk9A/mABgz sMTLEVScwfhgVJSGrAs3yvg= X-Google-Smtp-Source: ABdhPJwJMFWj0YSCX8xOvacnZQ613v5C4KHM1gAvIVj2L3vy0YZNXsU8ct1pbUzX8WSclT6L9mFqag== X-Received: by 2002:a17:906:f8c5:: with SMTP id lh5mr5496536ejb.294.1613447246121; Mon, 15 Feb 2021 19:47:26 -0800 (PST) From: Bin Meng To: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v2 3/6] hw/sd: sdhci: Correctly set the controller status for ADMA Date: Tue, 16 Feb 2021 11:46:51 +0800 Message-Id: <1613447214-81951-4-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> References: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::630; envelope-from=bmeng.cn@gmail.com; helo=mail-ej1-x630.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @gmail.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" When an ADMA transfer is started, the codes forget to set the controller status to indicate a transfer is in progress. With this fix, the following 2 reproducers: https://paste.debian.net/plain/1185136 https://paste.debian.net/plain/1185141 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=3Dqtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3D3 \ -drive if=3Dsd,index=3D0,file=3Dnull-co://,format=3Draw,id=3Dmydrive \ -device sd-card,drive=3Dmydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1928146 Signed-off-by: Bin Meng Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- (no changes since v1) hw/sd/sdhci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 05cb281..0b0ca6f 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -769,7 +769,9 @@ static void sdhci_do_adma(SDHCIState *s) =20 switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ + s->prnsts |=3D SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; if (s->trnmod & SDHC_TRNS_READ) { + s->prnsts |=3D SDHC_DOING_READ; while (length) { if (s->data_count =3D=3D 0) { sdbus_read_data(&s->sdbus, s->fifo_buffer, block_s= ize); @@ -797,6 +799,7 @@ static void sdhci_do_adma(SDHCIState *s) } } } else { + s->prnsts |=3D SDHC_DOING_WRITE; while (length) { begin =3D s->data_count; if ((length + begin) < block_size) { --=20 2.7.4 From nobody Tue Nov 18 22:47:31 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1613447380022410.0472043034538; Mon, 15 Feb 2021 19:49:40 -0800 (PST) Received: from localhost ([::1]:42466 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lBrMo-00038I-W2 for importer@patchew.org; Mon, 15 Feb 2021 22:49:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34072) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lBrKp-0001Qf-BS; Mon, 15 Feb 2021 22:47:35 -0500 Received: from mail-ed1-x535.google.com ([2a00:1450:4864:20::535]:39531) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lBrKn-0002eQ-Mq; Mon, 15 Feb 2021 22:47:35 -0500 Received: by mail-ed1-x535.google.com with SMTP id h10so5831617edl.6; Mon, 15 Feb 2021 19:47:32 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id z19sm12837866edr.69.2021.02.15.19.47.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Feb 2021 19:47:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=BDo04eiVdRpSfmb3nBH2DvGZY71bds0sndzN9THAQNs=; b=sQ+1aOYeBDt7smtQpThd/jtSahXt733c/CvTNIXKR8C+gAO8O88QNShMckJe/Ey5N8 2pkhplfbRTGM7FbpZU3LfsMWH73CtRXwP48TIH675lzNBihmgnf/hIc+5rsn2PRV6cml d5STP7/iDwslbpVkgqMEuvOV1x+n1mHpFFGeXxsGCzh+M58g20wihtxKx/GMxQ8/+JXy W99MwW9Ujq/TALT+M8BvpT1T++CR039Ccfuw8sZepwZw1vHIdYUtU5lAs3X51rI0y/KJ +fc2ThQuUKIyrBnqfheq9VCwtCT26gEGS3wcG32gAOXHNZhrHMDxO+D5/6Flk7uhKdoa 0vDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=BDo04eiVdRpSfmb3nBH2DvGZY71bds0sndzN9THAQNs=; b=VBIO9lXEK9zKy+zcmrMPBs9aUidugWv4DhUc2Yyc8PUqDw1yp1DIg158lGI9bUI/Zq mgEEiLqtzCjDRN5G4jvYt0epR0RIXEA4OekdmUiPwvYR49KVxdwUQNIsZ4EGvYRPnXDw 8gZMx6u/UoeSbKOdbUE7NAtySCEO/scNDzcKVMfAtfJpml0jJkJ1vyLa0wttC3mAlltc 33WP5SStaF27ZHOKuWFxhlZrHggnz5Ml/QrwLnrehWn3zeQ2b36faMz6NV9VPLpAlOCf tPMndYbmHSraKvzXPDJ/5Hd19Tt6sq0xp1HbPljIF7k/gxSZZJFvNXIDEEqaMvR8PO01 LOZA== X-Gm-Message-State: AOAM531Hdx5QxzmEq12j1xVo4WUhQlVMakOvZrvx7KtFlefP7apSckf0 J8+dfC0ZrR3ovc5Yt0uKWcg= X-Google-Smtp-Source: ABdhPJwp0KtsKaiV9w1lTB9eOotq7hEaeHlowNxRE3GBJuLAilIVZZYIbJQTyJ5X9Xs74rZjjJYdOQ== X-Received: by 2002:a50:be8b:: with SMTP id b11mr13147102edk.145.1613447251804; Mon, 15 Feb 2021 19:47:31 -0800 (PST) From: Bin Meng To: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v2 4/6] hw/sd: sdhci: Simplify updating s->prnsts in sdhci_sdma_transfer_multi_blocks() Date: Tue, 16 Feb 2021 11:46:52 +0800 Message-Id: <1613447214-81951-5-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> References: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::535; envelope-from=bmeng.cn@gmail.com; helo=mail-ed1-x535.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @gmail.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" s->prnsts is updated in both branches of the if () else () statement. Move the common bits outside so that it is cleaner. Signed-off-by: Bin Meng Reviewed-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- (no changes since v1) hw/sd/sdhci.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 0b0ca6f..7a2003b 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -598,9 +598,9 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState= *s) page_aligned =3D true; } =20 + s->prnsts |=3D SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; if (s->trnmod & SDHC_TRNS_READ) { - s->prnsts |=3D SDHC_DOING_READ | SDHC_DATA_INHIBIT | - SDHC_DAT_LINE_ACTIVE; + s->prnsts |=3D SDHC_DOING_READ; while (s->blkcnt) { if (s->data_count =3D=3D 0) { sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size); @@ -627,8 +627,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState= *s) } } } else { - s->prnsts |=3D SDHC_DOING_WRITE | SDHC_DATA_INHIBIT | - SDHC_DAT_LINE_ACTIVE; + s->prnsts |=3D SDHC_DOING_WRITE; while (s->blkcnt) { begin =3D s->data_count; if (((boundary_count + begin) < block_size) && page_aligned) { --=20 2.7.4 From nobody Tue Nov 18 22:47:31 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1613447539; cv=none; d=zohomail.com; s=zohoarc; b=QpJlmCXF82mLd0BTXjCpZbKTglMh8a56x6OaLzHl04pU7YgBmYDTis1F9zBfLkG6vyBvQ9Rkx4x5T/qguNSQXh97GKnBMUpaOIMzaKB8Z6mMvRkO+pghsO15An313o9+arLQc1zg2iFRo8sIo0cdy0YuvL9YXH9XUKmAm0Onsz4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1613447539; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=CJO8DxU1QoLsfU9lugfwUF5MGKH2/AMCsBzzgg9qF94=; b=ab1hWAublGQr7J5zDqssPigTtp1FpdsnkWw2NN3A09BTgD2iuZBn2u8BHCfs8N7fyN4vpQnkDsBU4jeCWmus+W0d4Q++VUkfAPdLjR4kzAy6l62cH9ADEnB13XquSuqKY1AB9McOWLLgKoJa7PvE8zOPqHp3t69iKTWrXcmCDqw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1613447539270367.4113332489504; Mon, 15 Feb 2021 19:52:19 -0800 (PST) Received: from localhost ([::1]:52424 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lBrPO-0007ER-AS for importer@patchew.org; Mon, 15 Feb 2021 22:52:18 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34094) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lBrKu-0001eb-PL; Mon, 15 Feb 2021 22:47:40 -0500 Received: from mail-ed1-x535.google.com ([2a00:1450:4864:20::535]:42142) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lBrKt-0002hg-93; Mon, 15 Feb 2021 22:47:40 -0500 Received: by mail-ed1-x535.google.com with SMTP id z22so10498395edb.9; Mon, 15 Feb 2021 19:47:38 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id z19sm12837866edr.69.2021.02.15.19.47.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Feb 2021 19:47:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=CJO8DxU1QoLsfU9lugfwUF5MGKH2/AMCsBzzgg9qF94=; b=MlUMCNBpEbTJEh6Nji3441OXFEQffD+WQnVlEzYWqWAIpU/YO5U3dxE210GvMziwAm O8ULfd8aezzZWEo6hVq4GABupx8LlFFc1n3niJquT+97084E+E20ulUCjeSY5keSzeXZ yaNasKpCFerm83npaqnTukr8sIecai0AJTRkhMWR3X7bc3seLj3MyjaCk4mUqxJLqhqt jXLqqpZJ2fwy2cHmcAnHUoNIKrulD0JO9Eu+PtSnaWFj+ewBQKprwWgfgnyY/pdkTGo3 EUIa3Fj+Bc+QO5aq6yGBMp2UjdcXmMolKe5uf+B9Zh4ZyPFbMEsoHV0Uv7RykzC8oern kJGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=CJO8DxU1QoLsfU9lugfwUF5MGKH2/AMCsBzzgg9qF94=; b=s8lzGk/eT65/JRX3z3YofrfLUULRwy0bKvdbRPB2ZFibYwCIDYvFEIVSePeJ/M10dP oNY/ShmqDBJlE7IzrwcDBxzmnM2xG9b6CYatwoYbIBKZOcyHoZUQJ+v42P/0ZF3Q1qxW TeJgauz5Dhu+9KaYI3Q8T+wTT2wSJqamfBrQ1TmZbtmLHSMVySMZh1UWNUlwiZd05ub0 Mr9yIfq1MngWtdBaQRl49NMGtirsTXX5TqoorvpOluGiIxwhkpmJqjQQMbkplIUNi6YH QHEBqkl65lH2V+2TAaBcm1e+HaHUFQ0WcdY75GHs3Ih7YMdg8o9WC1m6SpxhHM36vaWC wgvA== X-Gm-Message-State: AOAM533jJTSgw44C4hchffbHAuvNytQjwz0Crxryl6tAQiDb+rFsTbcD Nvwbg+2x+sUjN65ZhnNzrlYa+nvEbhc= X-Google-Smtp-Source: ABdhPJzUSUIFVWwsahW2Br/tDkOMgYHFJyB/iqtRxS9gvrrZdMEfuT06GjI6m5ynwMWbA/9snM6E8g== X-Received: by 2002:aa7:c0da:: with SMTP id j26mr18772464edp.253.1613447257375; Mon, 15 Feb 2021 19:47:37 -0800 (PST) From: Bin Meng To: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v2 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is writable Date: Tue, 16 Feb 2021 11:46:53 +0800 Message-Id: <1613447214-81951-6-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> References: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::535; envelope-from=bmeng.cn@gmail.com; helo=mail-ed1-x535.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @gmail.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The codes to limit the maximum block size is only necessary when SDHC_BLKSIZE register is writable. Signed-off-by: Bin Meng Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- Changes in v2: - new patch: sdhci: Limit block size only when SDHC_BLKSIZE register is wri= table hw/sd/sdhci.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 7a2003b..d0c8e29 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t v= al, unsigned size) if (!TRANSFERRING_DATA(s->prnsts)) { MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); - } =20 - /* Limit block size to the maximum buffer size */ - if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { - qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " - "the maximum buffer 0x%x\n", __func__, s->blksiz= e, - s->buf_maxsz); + /* Limit block size to the maximum buffer size */ + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger th= an " + "the maximum buffer 0x%x\n", __func__, s->bl= ksize, + s->buf_maxsz); =20 - s->blksize =3D deposit32(s->blksize, 0, 12, s->buf_maxsz); + s->blksize =3D deposit32(s->blksize, 0, 12, s->buf_maxsz); + } } =20 break; --=20 2.7.4 From nobody Tue Nov 18 22:47:31 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1613447606; cv=none; d=zohomail.com; s=zohoarc; b=UY3pWJRGAX+j6u6z8z1qvqDHJgEgG8PBxtBn7YRTwyogZOqZ3BmmPuBZwdWEMN9l16nS7xfvTRb8myYJGwxz+/xKV5f5kVwOUbcr9RxPjDaWE0rKRJKjKtFL+y/Tjs6K3uDzlsRBDUyakNip1BI//ohjXTbS3rDd6BHHIuZLmK8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1613447606; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=vby0w9tVl7tpi89wMw3MRMn6A1a+kR+5AXybQWDoxcQ=; b=Jy9ISFOwj4BJew8v2wSTWchYi+flG+iS+jex7Num0G/w4k//dVUJSpQcyHRVCEvmxRH0rlQFGFk79zu/CKoSf9KfCq9ZHoLvcioG5TlYXpGjEULw1gcVuEcCvTtYgyBcw18YtqVjWVtxRiDpd2PQC2jX4A3G139yxFP8KsywAEM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1613447606541760.6924498192825; Mon, 15 Feb 2021 19:53:26 -0800 (PST) Received: from localhost ([::1]:54562 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lBrQT-00088Y-I1 for importer@patchew.org; Mon, 15 Feb 2021 22:53:25 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34114) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lBrL1-0001v8-02; Mon, 15 Feb 2021 22:47:47 -0500 Received: from mail-ed1-x52b.google.com ([2a00:1450:4864:20::52b]:37177) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lBrKz-0002lV-5L; Mon, 15 Feb 2021 22:47:46 -0500 Received: by mail-ed1-x52b.google.com with SMTP id o3so8389424edv.4; Mon, 15 Feb 2021 19:47:43 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id z19sm12837866edr.69.2021.02.15.19.47.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Feb 2021 19:47:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=vby0w9tVl7tpi89wMw3MRMn6A1a+kR+5AXybQWDoxcQ=; b=cqB3QVOoqfI+mIMo17DZEyknr/9oGuMq6QHWk3gSSaU9qqUQ8729oL7kymkYALDW0c 7dUjKCRvQFIon66OE1e7eZ3C5c0FTGOu2LSG0yCR2SF6jRQe3IYbgzH76Czc1wp1ZuOY ECXrGfiW1TBvJlHlFvFUiXso/ve779sZaS6u9RWEnJe/PcB9qBL1TLv+6GwjFnOv036M qORXUHSnrqUZgqxXN/p62V+MmNfTL8n7K0C3ZsYsrbm7kWQRSzK57O/HrEv+fyKG55gR 86RnodSVIZ75h3igAXY5+IIpaqLU7p3ExFaMj+A1dRQ9KOdDEiBhXfcTtzCCW4N3io2r zF1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vby0w9tVl7tpi89wMw3MRMn6A1a+kR+5AXybQWDoxcQ=; b=pr3Inbn9C2epLOa1UJdo6Tg/dbQDnEgUPyw71oGT9yP1Uygd6XUkPmaMoz1eorLB+k vdcqs9nIDSlPrll/bftf6TIumt6Ki1gpa587lGdtMgvA2/SryJp5/vjLH39l0vj702JE 3lSsRZe11xbk/WpfffWUlAkA/atFMzrfJCm37sXB4zJA0ih7NyBiWaRWro3gHMuTWL6J Ab9yVk9Gw2yWNLwC/jxkc0n3YRwVs6JN9BXZ8+/pCuXpH+Ikec9N05djqkgVkt7ywRuH qnlR1gi2srWrwFIuIxrZmnZHJ5UK3cD918yeUxgzJVONV1KwOtwt7ulDyeXu21ljd8ez FkIg== X-Gm-Message-State: AOAM531X/besuR6lf3ZWNdWUdNY5qlzuTWWa9HzkrrGM3mBQBDBJsjbR zYhJTpFHMHFf23T/R05AN8jhHH4YdKI= X-Google-Smtp-Source: ABdhPJywooZx7cIcuoS8rdL003cDcqaLwdCw88wbwOj693BXkpYQIkKG5+Y0C+nrDtQ3AFFOTrGfSA== X-Received: by 2002:aa7:cb8f:: with SMTP id r15mr19103957edt.130.1613447263141; Mon, 15 Feb 2021 19:47:43 -0800 (PST) From: Bin Meng To: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v2 6/6] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed Date: Tue, 16 Feb 2021 11:46:54 +0800 Message-Id: <1613447214-81951-7-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> References: <1613447214-81951-1-git-send-email-bmeng.cn@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::52b; envelope-from=bmeng.cn@gmail.com; helo=mail-ed1-x52b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @gmail.com) Content-Type: text/plain; charset="utf-8" If the block size is programmed to a different value from the previous one, reset the data pointer of s->fifo_buffer[] so that s->fifo_buffer[] can be filled in using the new block size in the next transfer. With this fix, the following reproducer: outl 0xcf8 0x80001010 outl 0xcfc 0xe0000000 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0xe000002c 0x1 0x05 write 0xe0000005 0x1 0x02 write 0xe0000007 0x1 0x01 write 0xe0000028 0x1 0x10 write 0x0 0x1 0x23 write 0x2 0x1 0x08 write 0xe000000c 0x1 0x01 write 0xe000000e 0x1 0x20 write 0xe000000f 0x1 0x00 write 0xe000000c 0x1 0x32 write 0xe0000004 0x2 0x0200 write 0xe0000028 0x1 0x00 write 0xe0000003 0x1 0x40 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=3Dqtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3D3 \ -drive if=3Dsd,index=3D0,file=3Dnull-co://,format=3Draw,id=3Dmydrive \ -device sd-card,drive=3Dmydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1928146 Signed-off-by: Bin Meng Tested-by: Alexander Bulekov --- Changes in v2: - new patch: sdhci: Reset the data pointer of s->fifo_buffer[] when a diffe= rent block size is programmed hw/sd/sdhci.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index d0c8e29..5b86781 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val= , unsigned size) break; case SDHC_BLKSIZE: if (!TRANSFERRING_DATA(s->prnsts)) { + uint16_t blksize =3D s->blksize; + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); =20 @@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t va= l, unsigned size) =20 s->blksize =3D deposit32(s->blksize, 0, 12, s->buf_maxsz); } + + /* + * If the block size is programmed to a different value from + * the previous one, reset the data pointer of s->fifo_buffer[] + * so that s->fifo_buffer[] can be filled in using the new blo= ck + * size in the next transfer. + */ + if (blksize !=3D s->blksize) { + s->data_count =3D 0; + } } =20 break; --=20 2.7.4