From nobody Mon Feb  9 23:40:41 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of _spf.google.com designates
 209.85.128.47 as permitted sender) client-ip=209.85.128.47;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-f47.google.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.47 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1603301754; cv=none;
	d=zohomail.com; s=zohoarc;
	b=C+2bjnKpc8QGis+qqmnTy7uy93SvY57x7eT0/W+LMjeHSIldwbxSESgjffRqYOSpdyPFk2Q5FWiqZpzf7RIihecmVSOeHHAnWt2z7omfZDae4OtszLXeUX5U0D0iulcFUEQDIs2szvnvaZ3nWS2giSd/YakkyjjCuUWvDpy99Tg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1603301754;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=+Fm7KbLir3gbzmjKy+27eSKs45PUg9V/AzuCpZDRK/Q=;
	b=Yz5aPi4I4zuhWYO4pidJmGKzksKF9PX1k9GMiTKLHKNOhwAo4lzMLneeL7fkuYbYQB1dwfsP7SMS7wPyedVamuYv90rccx5BgVBeVZ3QSn4EXXBibLIspLRpFbOFMCcgkXfbrsC+xS8pXeQHBUKf2BKF5x63iro0V4lZfaK9ExQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.47 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47]) by mx.zohomail.com
	with SMTPS id 1603301754063724.803029807132;
 Wed, 21 Oct 2020 10:35:54 -0700 (PDT)
Received: by mail-wm1-f47.google.com with SMTP id a72so2992852wme.5
        for <importer@patchew.org>; Wed, 21 Oct 2020 10:35:53 -0700 (PDT)
Return-Path: <philippe.mathieu.daude@gmail.com>
Return-Path: <philippe.mathieu.daude@gmail.com>
Received: from x1w.redhat.com (237.red-88-18-140.staticip.rima-tde.net.
 [88.18.140.237])
        by smtp.gmail.com with ESMTPSA id
 133sm8735201wmb.2.2020.10.21.10.35.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Oct 2020 10:35:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=+Fm7KbLir3gbzmjKy+27eSKs45PUg9V/AzuCpZDRK/Q=;
        b=BJckA9U2TgiC+CxfBuvijCXXMaUfzkPWmqaDBx8HO6JNH6gaogOPzZLGozrWjTu46x
         XTz0jbJQLeBLigFgBopZdMMy2E+5xv6p9TCrb16908nc1++1fC1wVpp6OhLG0VWLbda5
         5e42Re/cufcyukyEKQj6h7+UUiwq3BrTl0p6ozYbipJ9dLn3WYut1QuBVf+S1B9N+Gk1
         KkQgV/RBgEwpgtH1uDSm5vfI5BI7r9DJfxe9T4gMgMpMGQe92+SMg4z3S4v3L0Qk338I
         d5vhhlW1cnou8N77tkIaOmHeNMehe3389IXkCNTEkp0juq9azyvS3XNuJ/6XwE/ua9xy
         HeOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :in-reply-to:references:mime-version:content-transfer-encoding;
        bh=+Fm7KbLir3gbzmjKy+27eSKs45PUg9V/AzuCpZDRK/Q=;
        b=sDFdI1ttDUBMB35QGz/hNBp/xVjUgIaNlAMJrKOirJ9OLY2Gc+CRID9LmuqpxIlLfI
         qI061Saxrj2l971XeAUvM8BVggbHu3/cy6l00ZPSxOQLJN4saX/co3pdSjy6EWhKgvVP
         p5ka50os7Jav4ddGx2cVeShOcihHfsL0qMIVzvwcbUsQCEqtbeQHj77rlIn7bU9267c2
         flovi7B+FuULRN9kJDFlgy3Sj9StDUaVnDlwVQMvF9P2guaphRblpnOnRkW3d8lVHGMK
         7hVmbFsl7H8BbMDw8jNydZ9HsKg6TshRN1iEHTORwCqu/kLQ1j4/irzyTBpdPDLodPkG
         8iOQ==
X-Gm-Message-State: AOAM531/KoZ2VEC8dGeIdjeXS40gJ7CvSraOumedreAH6jbD0JyTe15g
	U4LsJhyQRj+ssPRqHZ45v80=
X-Google-Smtp-Source: 
 ABdhPJyXZR7NSQEPtzfFgA+cILOxyz/oir9OSDeP9Ffxb2N9bdWfaYwgiQ6vdyLLGtlnl4JBwr9PrA==
X-Received: by 2002:a7b:c418:: with SMTP id k24mr4913652wmi.118.1603301752277;
        Wed, 21 Oct 2020 10:35:52 -0700 (PDT)
Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?=
 <philippe.mathieu.daude@gmail.com>
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: Alexander Bulekov <alxndr@bu.edu>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Subject: [PULL 13/13] hw/sd/sdcard: Assert if accessing an illegal group
Date: Wed, 21 Oct 2020 19:34:50 +0200
Message-Id: <20201021173450.2616910-14-f4bug@amsat.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20201021173450.2616910-1-f4bug@amsat.org>
References: <20201021173450.2616910-1-f4bug@amsat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @gmail.com)

We can not have more group than 'wpgrps_size'.
Assert if we are accessing a group above this limit.

Signed-off-by: Philippe Mathieu-Daud=C3=A9 <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201015063824.212980-7-f4bug@amsat.org>
---
 hw/sd/sd.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 4454d168e2f..c3febed2434 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -780,6 +780,7 @@ static void sd_erase(SDState *sd)
     sd->csd[14] |=3D 0x40;
=20
     for (i =3D erase_start; i <=3D erase_end; i++) {
+        assert(i < sd->wpgrps_size);
         if (test_bit(i, sd->wp_groups)) {
             sd->card_status |=3D WP_ERASE_SKIP;
         }
@@ -794,6 +795,7 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
     wpnum =3D sd_addr_to_wpnum(addr);
=20
     for (i =3D 0; i < 32; i++, wpnum++, addr +=3D WPGROUP_SIZE) {
+        assert(wpnum < sd->wpgrps_size);
         if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
             ret |=3D (1 << i);
         }
--=20
2.26.2