From nobody Fri May 17 09:18:35 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of _spf.google.com designates
 209.85.218.46 as permitted sender) client-ip=209.85.218.46;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-ej1-f46.google.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.218.46 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1612812894; cv=none;
	d=zohomail.com; s=zohoarc;
	b=XOJChj4rnork6+22aZFsNEPlekGFgsKNougBJfoonpg9i/dlrJyLGNROXpton0ulMwkK0Tk8Zl/O0zEsj3h0dIOGGlajulmiVoP1uPlKJInh/fDHBxfP7qsvOEBS07fqrP/Q8EM07Koq7MbsdpblZ3ocgleS0lIXBeeYLKl4Bn0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1612812894;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Sender:Subject:To;
	bh=V+mk+aC2y/rzDR5LVlHgI6DrxiMswv/ScJdkQl4PRxE=;
	b=gaoS3N2zDRB9eWh+bxnzf6r61Nimtej1hlF0wHSvFk7Ei+spIlMXzOB4ouw7LXdbzvFARWhmQEuxjKOsbfKR6V5yXHuhIeO3HtEt0TfvnSPneXZwohSgZFLp+6DBvgrKGiVHmcxDwfV2BT15Bsj8QNIEMnMpCEuAKInexnD/9ec=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.218.46 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com
 [209.85.218.46]) by mx.zohomail.com
	with SMTPS id 1612812894477594.314292397682;
 Mon, 8 Feb 2021 11:34:54 -0800 (PST)
Received: by mail-ej1-f46.google.com with SMTP id l25so9758114eja.9
        for <importer@patchew.org>; Mon, 08 Feb 2021 11:34:53 -0800 (PST)
Return-Path: <philippe.mathieu.daude@gmail.com>
Return-Path: <philippe.mathieu.daude@gmail.com>
Received: from x1w.redhat.com (68.red-83-57-175.dynamicip.rima-tde.net.
 [83.57.175.68])
        by smtp.gmail.com with ESMTPSA id
 p25sm9684055eds.55.2021.02.08.11.34.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 08 Feb 2021 11:34:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=V+mk+aC2y/rzDR5LVlHgI6DrxiMswv/ScJdkQl4PRxE=;
        b=IHkd1PQ9gNvWI72q/swI/rwVFfxotdq2GTu+c2QfBLakzxu4BO84U9AiPnsi1Q9jCf
         3IaCnv6SGmkDWUlD+J7+utatnjluBO04QDm5tIM4RW2If1hESYHuR3U1JTB7FQGfyC/2
         7WRx9hGNl98cVpxxK+NQu2N3FEgHn6wOSTtC0AmAE/pY8Zg2EZHz+otEHuvSNpjaVfgV
         nB+ecZFCymypGqCNNtftwOJ/x0Bim71Yn0YsUgcIylww46FJ6M+1Z1tgnQQ0r92KQ7Tj
         0kNFA8xiZIJG3iw15KyG80or96W80q0IwbzFG4PjskGtwW1ZmjvHFdNdJvDKaR5SGw/2
         zYsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :mime-version:content-transfer-encoding;
        bh=V+mk+aC2y/rzDR5LVlHgI6DrxiMswv/ScJdkQl4PRxE=;
        b=MXrGTDuQg9937MDeoqY6lDo4lJXG+OI1tisVhldXzHLNT+a8htAiiKNlHATdbmROVr
         xAK7uPtRh9EAccagVWfzrMNKnBFCK6LgHZKa7rLIWzfiFp3BYFhAUy9cbjvnHmqeh/wN
         SmzjtBk85j/XtJRdJ+muYst6hAZdilA5Jz9AKvaOGZnYmuZeHLCmD2hGiCP4kOPzBqjm
         Ysv5lqMatgfaFqICUR6YRyKgJF4kf8ws4hJqK7vVe5iXMfAM9cajv0ernlWaIwnxKIO9
         fAWsokkzeAGoG7L5WlLT5Ds9YtKTwafnlJnao+oUjI9//v8AY7efkU/cmFKsKiBSJttw
         IWHw==
X-Gm-Message-State: AOAM530RhrYeZm9XQAQyQIHhgNH0ecny4ZAtzkYdxSzgb2S9j/PhFhPF
	3nI/9rdGrDFEK3dl4DYDUcY=
X-Google-Smtp-Source: 
 ABdhPJxBTYYeCRq2OkN+pglxD912pb6fBOCHKybLw1t3cPXt8IHUk5G6krIDFN7LqFpeN80/5Ngj0A==
X-Received: by 2002:a17:906:59a:: with SMTP id
 26mr18530216ejn.309.1612812892364;
        Mon, 08 Feb 2021 11:34:52 -0800 (PST)
Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?=
 <philippe.mathieu.daude@gmail.com>
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org,
	Bin Meng <bin.meng@windriver.com>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>,
	Bin Meng <bmeng.cn@gmail.com>,
	Li Qiang <liq3ea@163.com>,
	Mauro Matteo Cascella <mcascell@redhat.com>,
	Alexander Bulekov <alxndr@bu.edu>,
	Alistair Francis <alistair.francis@wdc.com>,
	Prasad J Pandit <ppandit@redhat.com>,
	Bandan Das <bsd@redhat.com>
Subject: [PATCH] hw/sd/sdhci: Do not modify BlockSizeRegister if transaction
 in progress
Date: Mon,  8 Feb 2021 20:34:49 +0100
Message-Id: <20210208193450.2689517-1-f4bug@amsat.org>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @gmail.com)

Per the "SD Host Controller Simplified Specification Version 2.00"
spec. 'Table 2-4 : Block Size Register':

  Transfer Block Size [...] can be accessed only if no
  transaction is executing (i.e., after a transaction has stopped).
  Read operations during transfers may return an invalid value,
  and write operations shall be ignored.

Transactions will update 'data_count', so do not modify 'blksize'
and 'blkcnt' when 'data_count' is used. This fixes:

$ cat << EOF | qemu-system-x86_64 -qtest stdio -monitor none \
               -nographic -serial none -M pc-q35-5.0 \
               -device sdhci-pci,sd-spec-version=3D3 \
               -device sd-card,drive=3Dmydrive \
               -drive if=3Dsd,index=3D0,file=3Dnull-co://,format=3Draw,id=
=3Dmydrive
  outl 0xcf8 0x80001810
  outl 0xcfc 0xe1068000
  outl 0xcf8 0x80001814
  outl 0xcf8 0x80001804
  outw 0xcfc 0x7
  outl 0xcf8 0x8000fa20
  write 0xe106802c 0x1 0x0f
  write 0xe1068004 0xc 0x2801d10101fffffbff28a384
  write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60=
514233241505f
  write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254=
c80d000255a80d000256880d0002576
  write 0xe1068003 0x1 0xfe
  EOF
  =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
  =3D=3D2686219=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on addre=
ss 0x61500003bb00 at pc 0x55ab469f456c bp 0x7ffee71be330 sp 0x7ffee71bdae0
  WRITE of size 4 at 0x61500003bb00 thread T0
      #0 0x55ab469f456b in __asan_memcpy (qemu-system-i386+0x1cea56b)
      #1 0x55ab483dc396 in stl_he_p include/qemu/bswap.h:353:5
      #2 0x55ab483af5e4 in stn_he_p include/qemu/bswap.h:546:1
      #3 0x55ab483aeb4b in flatview_read_continue softmmu/physmem.c:2839:13
      #4 0x55ab483b0705 in flatview_read softmmu/physmem.c:2877:12
      #5 0x55ab483b028e in address_space_read_full softmmu/physmem.c:2890:18
      #6 0x55ab483b1294 in address_space_rw softmmu/physmem.c:2918:16
      #7 0x55ab479374a2 in dma_memory_rw_relaxed include/sysemu/dma.h:88:12
      #8 0x55ab47936f50 in dma_memory_rw include/sysemu/dma.h:127:12
      #9 0x55ab4793665f in dma_memory_read include/sysemu/dma.h:145:12
      #10 0x55ab4792f176 in sdhci_sdma_transfer_multi_blocks hw/sd/sdhci.c:=
639:13
      #11 0x55ab4793dc9d in sdhci_write hw/sd/sdhci.c:1129:17
      #12 0x55ab483f8db8 in memory_region_write_accessor softmmu/memory.c:4=
91:5
      #13 0x55ab483f868a in access_with_adjusted_size softmmu/memory.c:552:=
18
      #14 0x55ab483f6da5 in memory_region_dispatch_write softmmu/memory.c:1=
501:16
      #15 0x55ab483c3b11 in flatview_write_continue softmmu/physmem.c:2774:=
23
      #16 0x55ab483b0eb6 in flatview_write softmmu/physmem.c:2814:14
      #17 0x55ab483b0a3e in address_space_write softmmu/physmem.c:2906:18
      #18 0x55ab48465c56 in qtest_process_command softmmu/qtest.c:654:9

  0x61500003bb00 is located 0 bytes to the right of 512-byte region [0x6150=
0003b900,0x61500003bb00)
  allocated by thread T0 here:
      #0 0x55ab469f58a7 in calloc (qemu-system-i386+0x1ceb8a7)
      #1 0x7f21d678f9b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
      #2 0x55ab479530ed in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5
      #3 0x55ab476f102a in pci_qdev_realize hw/pci/pci.c:2108:9
      #4 0x55ab48baaad2 in device_set_realized hw/core/qdev.c:761:13

  SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1cea5=
6b) in __asan_memcpy
  Shadow bytes around the buggy address:
    0x0c2a7ffff710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7ffff720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7ffff730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7ffff740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7ffff750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =3D>0x0c2a7ffff760:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7ffff770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7ffff780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7ffff790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7ffff7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7ffff7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Heap left redzone:       fa
    Freed heap region:       fd
  =3D=3D2686219=3D=3DABORTING

Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <f4bug@amsat.org>
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-University Bochum)
Reported-by: Sergej Schumilo (Ruhr-University Bochum)
Reported-by: Simon Wrner (Ruhr-University Bochum)
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
---
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: Alexander Bulekov <alxndr@bu.edu>
Cc: Alistair Francis <alistair.francis@wdc.com>
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: Bandan Das <bsd@redhat.com>

RFC because missing Reported-by tags, launchpad/bugzilla links and
qtest reproducer. Sending for review meanwhile.
---
 hw/sd/sdhci.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 8ffa53999d8..7ac7d9af9e4 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1133,6 +1133,12 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t va=
l, unsigned size)
         }
         break;
     case SDHC_BLKSIZE:
+        if (s->data_count) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Can not update blksize when"
+                          " transaction is executing\n", __func__);
+            break;
+        }
         if (!TRANSFERRING_DATA(s->prnsts)) {
             MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
--=20
2.26.2