From nobody Sun Apr 28 11:39:36 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1594128151; cv=none; d=zohomail.com; s=zohoarc; b=YxlSMlEomAUdZxwhQnson8BtkURql8jxC2qm6RvRN7r7eWiTZybZtXMK7jt75Rk+KcgP/b/koh2nZbezlrrnW3v2orU/CKGxnjcTSlB9+porhD4X+Ljyi8QSTqpISYUP1CpvuasiZbNe438fucUrHBVJj38XdFZWV9tj9CsGPSo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1594128151; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=2zrFZLYRo+c3ZEDBF+YAvDsuRX/hAG3O/q/kiT44KIQ=; b=iQ6GqPPlgXazMYuXzx32DZp902TjMgcawv1zu2I4WiIMMPeW7k6xZ/4Px4ub4l07E9yTz2a7dXFoHHE8xAKDeIRGsDyGnAPZyRzUW81oR+QQBZANwvArv6aMeKsGKE6khYQQvUnMwvPwOUQqR1+UJ1X2tRRZB+TZ5guF3+zgvlE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1594128151177735.5083905787122; Tue, 7 Jul 2020 06:22:31 -0700 (PDT) Received: from localhost ([::1]:54298 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jsnYK-00042v-LD for importer@patchew.org; Tue, 07 Jul 2020 09:22:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45456) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jsnXJ-0002Z7-4L; Tue, 07 Jul 2020 09:21:25 -0400 Received: from mail-wm1-x343.google.com ([2a00:1450:4864:20::343]:35822) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jsnXH-00015S-LQ; Tue, 07 Jul 2020 09:21:24 -0400 Received: by mail-wm1-x343.google.com with SMTP id l2so45003847wmf.0; Tue, 07 Jul 2020 06:21:22 -0700 (PDT) Received: from localhost.localdomain (138.red-83-57-170.dynamicip.rima-tde.net. [83.57.170.138]) by smtp.gmail.com with ESMTPSA id 1sm1040130wmf.0.2020.07.07.06.21.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jul 2020 06:21:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2zrFZLYRo+c3ZEDBF+YAvDsuRX/hAG3O/q/kiT44KIQ=; b=HP+OH8fCdo1xHNMitcyLJwrCP7pk4poJoOrauXKoo/8kSE3XsuiKVem1jsFOY8Z+hp em3n/8EwKkx3KXpop720My7KATo8OpCvm2W0xOytfqCwh+iblEcHeSkzuGiaB0Ff4R2w Mwy5DPNqYI5wV+xOtGSKeGwE2SXGfye0s2L2yRHjuiyxo5KEQY1JwiljxFzRUlC19aGz 1uUqTY6JNugpmRdbdevzVFSmyj5Xd1ydYfEiDBymKRRwb4nw/Ce3pHe2kxdsjY4rKGOG dEmFVtmIUrhQrFGJrEPvGUlHuBNkDtIHtfOeH5gkttGAXENoS2qTDhePzH+2lj9Tv0zr SSvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=2zrFZLYRo+c3ZEDBF+YAvDsuRX/hAG3O/q/kiT44KIQ=; b=juH36mqDz//7/i5YlrhcRM9vHZqhsmzxXQSCE6el+XhkWyYf9xx+MQOpBan5KNU+Fm aUkp2CAi0rOf1J/amAEC/gzDbnlAHLpduxzVKbBFbivNq47HkW7MiAzIpSdn5jIQcckJ aa9rYqOHWMGbjCZC1yHw/b53xDHobg1tohc3uZAP3FYhruZgqpeOCBYin343N3SAWwj8 SBrMw6zHLH6tImkgOU4Rooo7hVFYd7b8DZ1HM0XqqdZO7Xo4oSVDo1CYxhhCJAKQFiw2 JI5CHG8oPFoKpu09ZGrmyY/UP7KPuxaDTgRXvVE9aPuET+crIMNFp4GNlZlbT/AX2EP2 epmA== X-Gm-Message-State: AOAM533RIQX8SjCwKeVC7sAPChOtUu8UyYHMfsbHvF2xZzeA57+Ef2Hz p1cSXhf1Iul+auWCyLxd9s/eqbi4 X-Google-Smtp-Source: ABdhPJxRg2kunOFYun7g0X40mDt2oApYL0maIZjmI8n/zdci5QvOMJx9cBxtiVact0zZ1H5g7eopmw== X-Received: by 2002:a05:600c:2154:: with SMTP id v20mr4491839wml.185.1594128081365; Tue, 07 Jul 2020 06:21:21 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 1/2] tests/acceptance/boot_linux: Truncate SD card image to power of 2 Date: Tue, 7 Jul 2020 15:21:15 +0200 Message-Id: <20200707132116.26207-2-f4bug@amsat.org> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20200707132116.26207-1-f4bug@amsat.org> References: <20200707132116.26207-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::343; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-x343.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: 0 X-Spam_score: 0.0 X-Spam_bar: / X-Spam_report: (0.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=1, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , qemu-block@nongnu.org, Alistair Francis , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Wainer dos Santos Moschetta , Niek Linnenbank , Cleber Rosa , Paolo Bonzini , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) In the next commit we won't allow SD card images with invalid size (not aligned to a power of 2). Prepare the tests: add the pow2ceil() and image_pow2ceil_truncate() methods and truncate the images of the tests using SD cards. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- tests/acceptance/boot_linux_console.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot= _linux_console.py index 3d02519660..f4d4e3635f 100644 --- a/tests/acceptance/boot_linux_console.py +++ b/tests/acceptance/boot_linux_console.py @@ -28,6 +28,18 @@ except CmdNotFoundError: P7ZIP_AVAILABLE =3D False =20 +# round up to next power of 2 +def pow2ceil(x): + return 1 if x =3D=3D 0 else 2**(x - 1).bit_length() + +# truncate file size to next power of 2 +def image_pow2ceil_truncate(path): + size =3D os.path.getsize(path) + size_aligned =3D pow2ceil(size) + if size !=3D size_aligned: + with open(path, 'ab+') as fd: + fd.truncate(size_aligned) + class LinuxKernelTest(Test): KERNEL_COMMON_COMMAND_LINE =3D 'printk.time=3D0 ' =20 @@ -635,6 +647,7 @@ def test_arm_orangepi_sd(self): rootfs_path_xz =3D self.fetch_asset(rootfs_url, asset_hash=3Drootf= s_hash) rootfs_path =3D os.path.join(self.workdir, 'rootfs.cpio') archive.lzma_uncompress(rootfs_path_xz, rootfs_path) + image_pow2ceil_truncate(rootfs_path) =20 self.vm.set_console() kernel_command_line =3D (self.KERNEL_COMMON_COMMAND_LINE + @@ -679,6 +692,7 @@ def test_arm_orangepi_bionic(self): image_name =3D 'Armbian_19.11.3_Orangepipc_bionic_current_5.3.9.im= g' image_path =3D os.path.join(self.workdir, image_name) process.run("7z e -o%s %s" % (self.workdir, image_path_7z)) + image_pow2ceil_truncate(image_path) =20 self.vm.set_console() self.vm.add_args('-drive', 'file=3D' + image_path + ',if=3Dsd,form= at=3Draw', @@ -728,6 +742,7 @@ def test_arm_orangepi_uboot_netbsd9(self): image_hash =3D '2babb29d36d8360adcb39c09e31060945259917a' image_path_gz =3D self.fetch_asset(image_url, asset_hash=3Dimage_h= ash) image_path =3D os.path.join(self.workdir, 'armv7.img') + image_pow2ceil_truncate(image_path) image_drive_args =3D 'if=3Dsd,format=3Draw,snapshot=3Don,file=3D' = + image_path archive.gzip_uncompress(image_path_gz, image_path) =20 --=20 2.21.3 From nobody Sun Apr 28 11:39:36 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1594128156; cv=none; d=zohomail.com; s=zohoarc; b=LZVbcX5LLjAhXppxRbwjDNTjnEJWu7WxXPTT32eGGcvjt3npd/68qdZIcSh/grGX1ogg7VtReljtoERhZpXkl2Ff9oAtV3xHztTzpLPpennYXORRpkUwUsxqpccvflDSU7rqU2y12/hQ5uOzuTdN1UAt0TijSQetyCwJVH6g2wg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1594128156; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=wnOaMihuL3Qtq6KxugJtx107vcQI3FbnYUUnIhtkWZY=; b=dEf/PdabJQqR+PkazB+mzD5aFrezHcls2DP/Bk00os39tfXzXf2AV50aFDFE7zR9AT0hNCvxTiTGF5S+ITgIKJj6cc5eYwrE9sucH21ru/7VBChMxq+qo9za+0dE19ue7DCBhCbc7OQSPOzFSgu+IIvamESpDcs8ggIcu19lqDo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1594128156548342.6875480525546; Tue, 7 Jul 2020 06:22:36 -0700 (PDT) Received: from localhost ([::1]:54784 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jsnYQ-0004GY-Mx for importer@patchew.org; Tue, 07 Jul 2020 09:22:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45486) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jsnXN-0002nV-Oh; Tue, 07 Jul 2020 09:21:29 -0400 Received: from mail-wm1-x32b.google.com ([2a00:1450:4864:20::32b]:55353) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jsnXI-00015f-GV; Tue, 07 Jul 2020 09:21:29 -0400 Received: by mail-wm1-x32b.google.com with SMTP id g75so43237419wme.5; Tue, 07 Jul 2020 06:21:23 -0700 (PDT) Received: from localhost.localdomain (138.red-83-57-170.dynamicip.rima-tde.net. [83.57.170.138]) by smtp.gmail.com with ESMTPSA id 1sm1040130wmf.0.2020.07.07.06.21.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jul 2020 06:21:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=wnOaMihuL3Qtq6KxugJtx107vcQI3FbnYUUnIhtkWZY=; b=efHjcK57yX1/JaV6eaZnho4ElyhmDUJjHy88ef8UsbWe+f8zmdqJuAim5aIkIQ7ZmY +qqjm5EGERaAOBhB+rD3Kp018SFcNGvM4yHHSoW7xIPPfh7h8GHUotX8AWNvy+KRk5hS haZI31b8RqLmNvzHQSbPDs3jr6N6U5/2rweDLnNRkXO1BbtsU/x9txLt3kIFHzbTKCnV kn137VhQQv9xowt9Ok0TplmXY2zkWxIXTsrlI594kjp+g7gOUNz1AGTfKEWxPei/OwR2 XNnyiaQX9iZ0lF8TxTDe5Afldx5MWs9VoosyqzduAyAuO9vXt+qMKWReLu38MJe3k1ud jEkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=wnOaMihuL3Qtq6KxugJtx107vcQI3FbnYUUnIhtkWZY=; b=Q677QzL4PORVyJzDf1V1wwfmF5ykIA+eTKGvd74LT1V9zLot12dU4GMgo8TAnVR/sN LXcSwh4JkyQeDtx/eq8Z0i+J/wHOJrqbE+CCO9KRu9VtNRWrHHQYRB6e6mOK0A154NcR eAVwad9brCOSPx1/7YC+ukf/f/VT9R8tKvEjBn40ZB05S6YWXT7yIkPh91JVz3NA6f2E j5Ypxrto7cdhz2+x9jHiV84BMUZ0e95Og+cEikU/1+j8zwTlhJy53dyXxrw/dBdv6PYC iO5hbl6WsGWQLbCq3KMH7mZ3wVni0lcU5a7/QbGGn/ByITnxQ7vx7VaY4hGxHS5H9fis CxaA== X-Gm-Message-State: AOAM5325A3wZsv2CBbb/9qukZTArLOphXEfCcfaKc2YznFZGIF69Z3Ob S6LiqouCjr4B68QKEvxrgtyxgp+m X-Google-Smtp-Source: ABdhPJyCCMSQAvxYaZRTUjpQTMb0n1ewf6YZqCRGbH4q8dfEK5aMU8cmxS6n1CDjeGiOL+eWkuZ+8g== X-Received: by 2002:a7b:cf16:: with SMTP id l22mr4506908wmg.68.1594128082442; Tue, 07 Jul 2020 06:21:22 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 2/2] hw/sd/sdcard: Do not allow invalid SD card sizes Date: Tue, 7 Jul 2020 15:21:16 +0200 Message-Id: <20200707132116.26207-3-f4bug@amsat.org> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20200707132116.26207-1-f4bug@amsat.org> References: <20200707132116.26207-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::32b; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-x32b.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: 0 X-Spam_score: 0.0 X-Spam_bar: / X-Spam_report: (0.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=1, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , qemu-block@nongnu.org, Alistair Francis , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Wainer dos Santos Moschetta , Niek Linnenbank , Cleber Rosa , Paolo Bonzini , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) QEMU allows to create SD card with unrealistic sizes. This could work, but some guests (at least Linux) consider sizes that are not a power of 2 as a firmware bug and fix the card size to the next power of 2. Before CVE-2020-13253 fix, this would allow OOB read/write accesses past the image size end. CVE-2020-13253 has been fixed as: Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. WP_VIOLATION errors are not modified: the error bit is set, we stay in receive-data state, wait for a stop command. All further data transfer is ignored. See the check on sd->card_status at the beginning of sd_read_data() and sd_write_data(). While this is the correct behavior, in case QEMU create smaller SD cards, guests still try to access past the image size end, and QEMU considers this is an invalid address, thus "all further data transfer is ignored". This is wrong and make the guest looping until eventually timeouts. Fix by not allowing invalid SD card sizes. Suggesting the expected size as a hint: $ qemu-system-arm -M orangepi-pc -drive file=3Drootfs.ext2,if=3Dsd,format= =3Draw qemu-system-arm: Invalid SD card size: 60 MiB (expecting at least 64 MiB) Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/sd/sd.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index cb81487e5c..c45106b78e 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -32,6 +32,7 @@ =20 #include "qemu/osdep.h" #include "qemu/units.h" +#include "qemu/cutils.h" #include "hw/irq.h" #include "hw/registerfields.h" #include "sysemu/block-backend.h" @@ -2130,11 +2131,26 @@ static void sd_realize(DeviceState *dev, Error **er= rp) } =20 if (sd->blk) { + int64_t blk_size; + if (blk_is_read_only(sd->blk)) { error_setg(errp, "Cannot use read-only drive as SD card"); return; } =20 + blk_size =3D blk_getlength(sd->blk); + if (blk_size > 0 && !is_power_of_2(blk_size)) { + int64_t blk_size_aligned =3D pow2ceil(blk_size); + char *blk_size_str =3D size_to_str(blk_size); + char *blk_size_aligned_str =3D size_to_str(blk_size_aligned); + + error_setg(errp, "Invalid SD card size: %s (expecting at least= %s)", + blk_size_str, blk_size_aligned_str); + g_free(blk_size_str); + g_free(blk_size_aligned_str); + return; + } + ret =3D blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_= WRITE, BLK_PERM_ALL, errp); if (ret < 0) { --=20 2.21.3