From nobody Fri Nov 14 18:05:11 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1589715599; cv=none; d=zohomail.com; s=zohoarc; b=ABbs4NTETXxIKiCBUUSczVpMgKyaaG3NKJX4MysVYS92BXVfu4l6/bY4BYa4ouKnCsDopx8yGrT54S1mZvCZI5NxYW05PuEpc2rNKWxEJ3vx/YXvde+Mca5K46Loc+owB8EMwR6/YwihZUjD97XekMoz9FViJB0omMoXhKJ5aVI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1589715599; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jdDbc6yPkbc/CrlTCOnabVx1wZ4fVwIoxaLDJHM44JU=; b=M7+pYod7IVcBrTLH9QByUy+s2QOCUn0N4Dxe1+wSgiv+OekNw6wq9xrVXDw9cmIwgQUmzPLS/u8gV8Nje0OZB34+9PMJPionULo5At7ckjLVbpPtfc1EcuOggH5Awaw+RVqNySraNqeoENqz8ikacU0PoWfd1YL/9HSUF5YAaEg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1589715599239431.3238330871393; Sun, 17 May 2020 04:39:59 -0700 (PDT) Received: from localhost ([::1]:41242 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jaHe9-0005mz-T6 for importer@patchew.org; Sun, 17 May 2020 07:39:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48882) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jaHcS-0004XN-Nq for qemu-devel@nongnu.org; Sun, 17 May 2020 07:38:14 -0400 Received: from mail-wr1-x444.google.com ([2a00:1450:4864:20::444]:34344) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jaHcS-0001HE-5h for qemu-devel@nongnu.org; Sun, 17 May 2020 07:38:12 -0400 Received: by mail-wr1-x444.google.com with SMTP id y3so8519700wrt.1 for ; Sun, 17 May 2020 04:38:11 -0700 (PDT) Received: from localhost.localdomain (17.red-88-21-202.staticip.rima-tde.net. [88.21.202.17]) by smtp.gmail.com with ESMTPSA id u10sm11660451wmc.31.2020.05.17.04.38.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 May 2020 04:38:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=jdDbc6yPkbc/CrlTCOnabVx1wZ4fVwIoxaLDJHM44JU=; b=hwjo/7Dg32uRxQMnzoxAAVSlmOUbw0bT/PqAd9AfajmIASvEn8i4TmAP6c/I10ZS4D lIjUFjnb/G3VcHg2O6gONSJrSq1Y/pC5HsT0gNuHI6Hcc8y8D7DSgNd5CPRUqKhtqiQK htLq8ZkuD9gYNPIhAWZGe6zDQRvKKSahZXTFiCpDNS0D5w7U8s4l633V7BsIhhh9TknL BGjXUOrrFgc4AwiGy8FNp4+VeY5WwTlXTnO5ASTkfoaej+xllCPNk3tSb1sQXskg7vtH 93SYGnXgtwNNiwBh/O6f9sFl9FoPy02FYwBClTcNHhixhkQhCUDn5tzRV+CLZtHFq88O 9RFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=jdDbc6yPkbc/CrlTCOnabVx1wZ4fVwIoxaLDJHM44JU=; b=TlbGhQhC4yW2erfeKGInUEeiyBzBB9xPeSXH1lyfMxpmqn3J9LIh/VXD9qbV1hBbBk 0FBqWbGvpZ1xdyvoP3JaeFrT0I334hpjdZ1aYjMRhEqsHWbggPA8QvbWr6RuXOQUcEC3 98bw0G2Q/8RUe+cfNd2vOYnXMFdwKylFlyncxC9yRyauVppja+HK6taCwqEwvmgx+FnX AHMr3l4rSP8Jan4qybb6nU4XT2sARonlrVAIeZb0FX9OSY36RbMGU5R695O9GA1WYPdJ XcLkgdovJXepb4tO0H1tBe5qpnGIBsrDWhCFyTghF5j7ewJHjRD5bJq4zj7TZnQ+L2c8 0rnQ== X-Gm-Message-State: AOAM533hiAu2k7Xcrr+2jIZjBr+wOZLhDB4qzFIwV/UBqHGdOT4bTLNI 22Mx0tyzmqCUWtPClmsJur4GySdR2w8= X-Google-Smtp-Source: ABdhPJzwxMIAf6A/FNrwZ1+ntIC2QvC/quX6UNipYWLrBscJsflhDvvmWCC8a+Oqun3EfDTmCZKtvg== X-Received: by 2002:adf:a3c5:: with SMTP id m5mr14944249wrb.390.1589715490429; Sun, 17 May 2020 04:38:10 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH 1/2] exec: Let memory_access_size() consider minimum valid access size Date: Sun, 17 May 2020 13:38:03 +0200 Message-Id: <20200517113804.9063-2-f4bug@amsat.org> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20200517113804.9063-1-f4bug@amsat.org> References: <20200517113804.9063-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::444; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-x444.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Li Zhijian , Tony Nguyen , Alexey Kardashevskiy , Julia Suvorova , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Peter Xu , Alexander Bulekov , Paolo Bonzini , Richard Henderson , Stefano Garzarella Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) As it is illegal to access a device with less that its minimum valid size, also check for access_size_min. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- exec.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/exec.c b/exec.c index 5162f0d12f..d3ec30f995 100644 --- a/exec.c +++ b/exec.c @@ -3066,10 +3066,14 @@ void memory_region_flush_rom_device(MemoryRegion *m= r, hwaddr addr, hwaddr size) =20 static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr) { + unsigned access_size_min =3D mr->ops->valid.min_access_size; unsigned access_size_max =3D mr->ops->valid.max_access_size; =20 /* Regions are assumed to support 1-4 byte accesses unless otherwise specified. */ + if (access_size_min =3D=3D 0) { + access_size_min =3D 1; + } if (access_size_max =3D=3D 0) { access_size_max =3D 4; } @@ -3082,11 +3086,14 @@ static int memory_access_size(MemoryRegion *mr, uns= igned l, hwaddr addr) } } =20 - /* Don't attempt accesses larger than the maximum. */ - if (l > access_size_max) { + /* Don't attempt accesses not in the minimum/maximum range. */ + if (l < access_size_min) { + l =3D access_size_min; + } else if (l > access_size_max) { l =3D access_size_max; + } else { + l =3D pow2floor(l); } - l =3D pow2floor(l); =20 return l; } --=20 2.21.3 From nobody Fri Nov 14 18:05:11 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=amsat.org ARC-Seal: i=1; a=rsa-sha256; t=1589715723; cv=none; d=zohomail.com; s=zohoarc; b=WforceDfIpNpAVgdV80U4LU+EnvyEhoz9HtFAjHI39BCFAnlJwDZZPqV/1Or+/R6N3uszXkfeeD2PynvmvUi11PACkArJgm09Ujelnjit+20NtYf/kdeOfqnMq8eudQTNvX5WJSl+A1l7OfnsmCSSKcae/36Yu+jVT9MID6jKl4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1589715723; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=dgT5N5e/Hw5TD5vn9opgkvYdIJNN9dDH5/0pQTdacOM=; b=lmMQbzoBU4Fy/JwLLnFyAC5HZ2qC+tkEgzKEoNutyWchVW3KQgTL/uDzxkIQj0OsVu16kSckiJsZf7ikYqqEGWE4GD7L85sRebgUTBN3VUkkv6KzSxrbyqhNlu3zmhMBSVPdgX7QT2h1D+lNjwGhcX3M74OZ3ZE/7vIigR4u03I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1589715723841934.3879117058283; Sun, 17 May 2020 04:42:03 -0700 (PDT) Received: from localhost ([::1]:46802 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jaHgA-0008NP-Ec for importer@patchew.org; Sun, 17 May 2020 07:42:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48886) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jaHcV-0004Z9-5P for qemu-devel@nongnu.org; Sun, 17 May 2020 07:38:15 -0400 Received: from mail-wr1-x442.google.com ([2a00:1450:4864:20::442]:46794) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jaHcU-0001Ic-Bf for qemu-devel@nongnu.org; Sun, 17 May 2020 07:38:14 -0400 Received: by mail-wr1-x442.google.com with SMTP id w7so8424087wre.13 for ; Sun, 17 May 2020 04:38:13 -0700 (PDT) Received: from localhost.localdomain (17.red-88-21-202.staticip.rima-tde.net. [88.21.202.17]) by smtp.gmail.com with ESMTPSA id u10sm11660451wmc.31.2020.05.17.04.38.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 May 2020 04:38:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dgT5N5e/Hw5TD5vn9opgkvYdIJNN9dDH5/0pQTdacOM=; b=i0wrEkF1qndS/4WsmxkApN3ec+rg6Dr6G3p/1nKiTh0Zfe/qSZQbMPhr9jRyNaXTBw JK0LX7h8+qZbARqDcIk7PjIK17QZUm4ZJ1/+hp/+afIkfANbcxFMZBVeKJR36waX3JP9 FJI4SsLgHFmW+E/c89mEg8mfzNJRPMQXxWrlMBjv0TupNzslRrO3N9GIqJTY9LipcGRj 2mldHT8km+Noh6HViqWDz2N0c0FJz2PTagn68lFiicpMiTTsRhphdGdPL5VVb20/cZ8M HibXyvkWJoQxh7Vg8EtN4z9jTUzS7+Jz9V6MUbxLXeZoEE6nt2OgAIEKgj1kqjXDYJ1G MK5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=dgT5N5e/Hw5TD5vn9opgkvYdIJNN9dDH5/0pQTdacOM=; b=BqtOGPsBIYRHQuW4DfpFOeK7l/drtWryFZmStrTDSvS/Kan3EEVYKiHmVTFMX2kFAy 8nK3u8C0BNmWnwoIK4Iq/P0qLr0i8fq+21Aj1hibXF6PXE22FntxwM2HJgrrf2FoRYky HY7Zmst1BVKBGML+7g6xhBqnsoUe0h6+k4x2tAKXVgcj+a0N6wZMf23gt+PcA9fmdz4J EPAXSKe4HAO+Ra7awYx/KcjScquRv8kaXkjqubUJgqLOvq2ZfibPr7dxdPvRGWJ0c8aN blvmGXvARrwW7SzDTZG3KG391+zU86Znq+spCeUkddvdC5nsRXaKs7rXnHHeCmGkx8OO BjZA== X-Gm-Message-State: AOAM532e1zHSWUvQNW/jD8Neqa2b+tET2sKHEg5qXQ8+0DmWCWogYXkN PL8MQ+1CecUSk0YoM9Wc4uI4nsu96es= X-Google-Smtp-Source: ABdhPJykSMQszinO0b1MriNkEZO4raT4Zx1sw2hdG/GVT594RAFOyQsj1RnmH+e/H3eLVU9z0KrGbQ== X-Received: by 2002:a5d:514f:: with SMTP id u15mr14750911wrt.132.1589715492261; Sun, 17 May 2020 04:38:12 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH 2/2] exec: Do not let flatview_read/write_continue do (too) short accesses Date: Sun, 17 May 2020 13:38:04 +0200 Message-Id: <20200517113804.9063-3-f4bug@amsat.org> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20200517113804.9063-1-f4bug@amsat.org> References: <20200517113804.9063-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::442; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-x442.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Li Zhijian , Tony Nguyen , Alexey Kardashevskiy , Julia Suvorova , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Peter Xu , Alexander Bulekov , Paolo Bonzini , Richard Henderson , Stefano Garzarella Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Instead of accessing a device with an invalid short size, return MEMTX_ERROR to indicate the transaction failed (as the device won't accept the transaction anyway). Reported by libFuzzer. sdhci_sdma_transfer_multi_blocks() ends calling dma_memory_rw() with size < 4, while the DMA MMIO regions are restricted to 32-bit accesses: qemu-fuzz-arm: hw/dma/bcm2835_dma.c:153: uint64_t bcm2835_dma_read(BCM283= 5DMAState *, hwaddr, unsigned int, unsigned int): Assertion `size =3D=3D 4'= failed. =3D=3D27332=3D=3D ERROR: libFuzzer: deadly signal #8 0x7f0ffa1f5565 in __GI___assert_fail (/lib64/libc.so.6+0x30565) #9 0x562fe3c9c83f in bcm2835_dma_read (qemu-fuzz-arm+0x1d2e83f) #10 0x562fe3c9f81b in bcm2835_dma15_read (qemu-fuzz-arm+0x1d3181b) #11 0x562fe307d265 in memory_region_read_accessor (qemu-fuzz-arm+0x110f= 265) #12 0x562fe304ecb3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e0cb= 3) #13 0x562fe304cb37 in memory_region_dispatch_read1 (qemu-fuzz-arm+0x10d= eb37) #14 0x562fe304c553 in memory_region_dispatch_read (qemu-fuzz-arm+0x10de= 553) #15 0x562fe2e7fd1d in flatview_read_continue (qemu-fuzz-arm+0xf11d1d) #16 0x562fe2e8147d in flatview_read (qemu-fuzz-arm+0xf1347d) #17 0x562fe2e80fd4 in address_space_read_full (qemu-fuzz-arm+0xf12fd4) #18 0x562fe2e820fa in address_space_rw (qemu-fuzz-arm+0xf140fa) #19 0x562fe411e485 in dma_memory_rw_relaxed (qemu-fuzz-arm+0x21b0485) #20 0x562fe411deb5 in dma_memory_rw (qemu-fuzz-arm+0x21afeb5) #21 0x562fe411d837 in dma_memory_read (qemu-fuzz-arm+0x21af837) #22 0x562fe41190a6 in sdhci_sdma_transfer_multi_blocks (qemu-fuzz-arm+0= x21ab0a6) #23 0x562fe41217c1 in sdhci_write (qemu-fuzz-arm+0x21b37c1) #24 0x562fe304f147 in memory_region_write_accessor (qemu-fuzz-arm+0x10e= 1147) #25 0x562fe304ecb3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e0cb= 3) #26 0x562fe304d853 in memory_region_dispatch_write (qemu-fuzz-arm+0x10d= f853) #27 0x562fe2e91e0b in flatview_write_continue (qemu-fuzz-arm+0xf23e0b) #28 0x562fe2e81d02 in flatview_write (qemu-fuzz-arm+0xf13d02) #29 0x562fe2e81834 in address_space_write (qemu-fuzz-arm+0xf13834) qemu-fuzz-arm: hw/dma/bcm2835_dma.c:200: void bcm2835_dma_write(BCM2835DM= AState *, hwaddr, uint64_t, unsigned int, unsigned int): Assertion `size = =3D=3D 4' failed. =3D=3D16113=3D=3D ERROR: libFuzzer: deadly signal #8 0x7fd823d3d565 in __GI___assert_fail (/lib64/libc.so.6+0x30565) #9 0x557a62b72ec3 in bcm2835_dma_write (qemu-fuzz-arm+0x1d2eec3) #10 0x557a62b725e8 in bcm2835_dma0_write (qemu-fuzz-arm+0x1d2e5e8) #11 0x557a61f25147 in memory_region_write_accessor (qemu-fuzz-arm+0x10e= 1147) #12 0x557a61f24cb3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e0cb= 3) #13 0x557a61f23853 in memory_region_dispatch_write (qemu-fuzz-arm+0x10d= f853) #14 0x557a61d67e0b in flatview_write_continue (qemu-fuzz-arm+0xf23e0b) #15 0x557a61d57d02 in flatview_write (qemu-fuzz-arm+0xf13d02) #16 0x557a61d57834 in address_space_write (qemu-fuzz-arm+0xf13834) #17 0x557a61d58054 in address_space_rw (qemu-fuzz-arm+0xf14054) #18 0x557a62ff4485 in dma_memory_rw_relaxed (qemu-fuzz-arm+0x21b0485) #19 0x557a62ff3eb5 in dma_memory_rw (qemu-fuzz-arm+0x21afeb5) #20 0x557a62ff379a in dma_memory_write (qemu-fuzz-arm+0x21af79a) #21 0x557a62fee9dc in sdhci_sdma_transfer_multi_blocks (qemu-fuzz-arm+0= x21aa9dc) #22 0x557a62ff77c1 in sdhci_write (qemu-fuzz-arm+0x21b37c1) #23 0x557a61f25147 in memory_region_write_accessor (qemu-fuzz-arm+0x10e= 1147) #24 0x557a61f24cb3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e0cb= 3) #25 0x557a61f23853 in memory_region_dispatch_write (qemu-fuzz-arm+0x10d= f853) #26 0x557a61d67e0b in flatview_write_continue (qemu-fuzz-arm+0xf23e0b) #27 0x557a61d57d02 in flatview_write (qemu-fuzz-arm+0xf13d02) #28 0x557a61d57834 in address_space_write (qemu-fuzz-arm+0xf13834) =3D=3D5448=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address = 0x619000024380 at pc 0x55aac095e2cc bp 0x7fff9144ead0 sp 0x7fff9144e280 WRITE of size 4 at 0x619000024380 thread T0 #0 0x55aac095e2cb in __asan_memcpy (qemu-fuzz-arm+0xeb92cb) #1 0x55aac09de163 in stl_he_p (qemu-fuzz-arm+0xf39163) #2 0x55aac09b796f in stn_he_p (qemu-fuzz-arm+0xf1296f) #3 0x55aac09b6ec5 in flatview_read_continue (qemu-fuzz-arm+0xf11ec5) #4 0x55aac09b86dd in flatview_read (qemu-fuzz-arm+0xf136dd) #5 0x55aac09b8234 in address_space_read_full (qemu-fuzz-arm+0xf13234) #6 0x55aac09b935a in address_space_rw (qemu-fuzz-arm+0xf1435a) #7 0x55aac1c55b35 in dma_memory_rw_relaxed (qemu-fuzz-arm+0x21b0b35) #8 0x55aac1c55565 in dma_memory_rw (qemu-fuzz-arm+0x21b0565) #9 0x55aac1c54ee7 in dma_memory_read (qemu-fuzz-arm+0x21afee7) #10 0x55aac1c5074e in sdhci_sdma_transfer_multi_blocks (qemu-fuzz-arm+0= x21ab74e) #11 0x55aac1c58e71 in sdhci_write (qemu-fuzz-arm+0x21b3e71) #12 0x55aac0b86417 in memory_region_write_accessor (qemu-fuzz-arm+0x10e= 1417) #13 0x55aac0b85f87 in access_with_adjusted_size (qemu-fuzz-arm+0x10e0f8= 7) #14 0x55aac0b84ab3 in memory_region_dispatch_write (qemu-fuzz-arm+0x10d= fab3) #15 0x55aac09c906b in flatview_write_continue (qemu-fuzz-arm+0xf2406b) #16 0x55aac09b8f62 in flatview_write (qemu-fuzz-arm+0xf13f62) #17 0x55aac09b8a94 in address_space_write (qemu-fuzz-arm+0xf13a94) Reported-by: Clang combined libFuzzer with AddressSanitizer Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- exec.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/exec.c b/exec.c index d3ec30f995..100c2754f2 100644 --- a/exec.c +++ b/exec.c @@ -3136,13 +3136,20 @@ static MemTxResult flatview_write_continue(FlatView= *fv, hwaddr addr, =20 for (;;) { if (!memory_access_is_direct(mr, true)) { + /* I/O case */ + hwaddr l2; + release_lock |=3D prepare_mmio_access(mr); - l =3D memory_access_size(mr, l, addr1); + l2 =3D memory_access_size(mr, l, addr1); /* XXX: could force current_cpu to NULL to avoid potential bugs */ - val =3D ldn_he_p(buf, l); - result |=3D memory_region_dispatch_write(mr, addr1, val, - size_memop(l), attrs); + if (l <=3D l2) { + val =3D ldn_he_p(buf, l); + result |=3D memory_region_dispatch_write(mr, addr1, val, + size_memop(l), attr= s); + } else { + result =3D MEMTX_ERROR; + } } else { /* RAM case */ ram_ptr =3D qemu_ram_ptr_length(mr->ram_block, addr1, &l, fals= e); @@ -3202,11 +3209,17 @@ MemTxResult flatview_read_continue(FlatView *fv, hw= addr addr, for (;;) { if (!memory_access_is_direct(mr, false)) { /* I/O case */ + hwaddr l2; + release_lock |=3D prepare_mmio_access(mr); - l =3D memory_access_size(mr, l, addr1); - result |=3D memory_region_dispatch_read(mr, addr1, &val, - size_memop(l), attrs); - stn_he_p(buf, l, val); + l2 =3D memory_access_size(mr, l, addr1); + if (l <=3D l2) { + result |=3D memory_region_dispatch_read(mr, addr1, &val, + size_memop(l), attrs= ); + stn_he_p(buf, l, val); + } else { + result =3D MEMTX_ERROR; + } } else { /* RAM case */ ram_ptr =3D qemu_ram_ptr_length(mr->ram_block, addr1, &l, fals= e); --=20 2.21.3