From nobody Mon Feb 9 19:09:06 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.221.54 as permitted sender) client-ip=209.85.221.54; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f54.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.54 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1625241550; cv=none; d=zohomail.com; s=zohoarc; b=XrQYZ5tgjTgXf6woX/ICKZEqEuNnC0paR+4CAsd/a6R+X9v1q/9VUkRFrXdX5yBo61hOXRQonZmrHGMZWjh7m1IlZK7ClQd/P2gKmT91AFtW58lC+f2y5HQVl4nM4h4qxAtXjZN90mCFqMY0/HIS761A3DLrnvMf8awQPzQNnvg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625241550; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=g3mXQWSPJFZt6+QzEux1hZKoh5RScSdBLOmydGx074Y=; b=DFnaosk0l93EK6+w8QlIE9uMXhqTqtGWcuQPWw/s/FPmFDF/FcGqsCIb0puD72PgQtiBIry+JkpA0GZ2q3CpSI15DxkWsd7Hn+X4Eu1DrbV1RxMKU1LH5uwM3AU00bdTP5EZQJkwXmf1j4PIgD8Hsr8Bf0fQwgkzjH9YgeO3WnE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.54 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.zohomail.com with SMTPS id 16252415502811012.1099509039495; Fri, 2 Jul 2021 08:59:10 -0700 (PDT) Received: by mail-wr1-f54.google.com with SMTP id a8so1364244wrp.5 for ; Fri, 02 Jul 2021 08:59:09 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.Ascou-CH1 (pop.92-184-108-23.mobile.abo.orange.fr. [92.184.108.23]) by smtp.gmail.com with ESMTPSA id w22sm13164965wmc.4.2021.07.02.08.59.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Jul 2021 08:59:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=g3mXQWSPJFZt6+QzEux1hZKoh5RScSdBLOmydGx074Y=; b=oee057xoNxavxbV3w1EcDoSX+iZJ6ApdzqcFjJt1iDHkg9BaqS3Y0X3X+qoGkPesVJ kbowZ3I7FrsS9YEMOqH/8WFqYrUu3vAyrcpfYR0bnIz3sPEX+TU3kyVzxrf253FjtfEK GcO1fOiZUJziYHy27+Be2czKDowXvuR2O6jh2vF4Iy/G/u15I542+jW2spUXE0Eg10O/ /gvKEB9tRAzr0uBdfTbBKH/uKPykthQYTwoIL28ksI7lcrz6LC8YglYAYgWhSMGat8IQ Je4GbY8P3PWaxfqVBRPwfKYyKrqABYKsEIrfFJDB1gBzzUPf/PkXy5eBbh165pBycIzf 1Meg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=g3mXQWSPJFZt6+QzEux1hZKoh5RScSdBLOmydGx074Y=; b=D88Nsb/pR97oq/wpq/+Uh4YDq7Z3MULbHYxA+/ziAQ1xNCJH7dDD0f45jDs7bjcasG HKNWYUHB4l0k5UoGeSilAqK7V9vqnH3Vkix87bts1P/D74wESahJbNEEbUqUekakO8DP Ou6Sgxxa4pb3w5jE4bMX+We8c7y1WpxT70bar6ZQl5nwy5bDZnt4lBmxRYSQKgVBuhLO STQvNW+s7Eccn6DNaknoYqz1wK7mgyFaCi+U2EYRrLKRtx0Spd5Chxbe7lBMVXSsyl9k vmDkRC+JxoxxpdjTciZF4A5YeGM2tjzoNNg3gXpQBIXz5tmEwnvn8cEPPMz4gLGBLd6o cXSQ== X-Gm-Message-State: AOAM531UXb7iZX3nM+NEdw0wejFH+j0i2whurQWnl8Yz566vvX4/OLdW qheQQIZrkjsHeUZO+hTEXtU= X-Google-Smtp-Source: ABdhPJy2COYHmYt0mzeBI524gpiv2nXVcQmSZd0yi3aOFmCpFANUA1Xfl6iczGHWyzAIDXa389Y3Cg== X-Received: by 2002:a5d:62c2:: with SMTP id o2mr385964wrv.234.1625241548617; Fri, 02 Jul 2021 08:59:08 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Alexander Bulekov , Michael Olbrich , Bin Meng , Thomas Huth , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Bin Meng Subject: [PATCH 1/3] hw/sd: When card is in wrong state, log which state it is Date: Fri, 2 Jul 2021 17:58:58 +0200 Message-Id: <20210702155900.148665-2-f4bug@amsat.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210702155900.148665-1-f4bug@amsat.org> References: <20210702155900.148665-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1625241550761100001 We report the card is in an inconsistent state, but don't precise in which state it is. Add this information, as it is useful when debugging problems. Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Bin Meng Message-Id: <20210624142209.1193073-2-f4bug@amsat.org> Reviewed-by: Alexander Bulekov --- hw/sd/sd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 282d39a7042..d8fdf84f4db 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1504,7 +1504,8 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S= DRequest req) return sd_illegal; } =20 - qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd= ); + qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n", + req.cmd, sd_state_name(sd->state)); return sd_illegal; } =20 --=20 2.31.1 From nobody Mon Feb 9 19:09:06 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.221.51 as permitted sender) client-ip=209.85.221.51; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f51.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.51 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1625241555; cv=none; d=zohomail.com; s=zohoarc; b=as6gs2SG1HmTDPIkJg9zVz5rOKb8UTy2P/Tg06FQd3ELrB0STKt7+Z5S3dWH3rULLzEYKivwRppuRM/Jlkb8sR9p4814n+BA4PR6f4tD/Fr5ddyN85mL3YVfuvhrtKdp8LPkIUtDqH8XcOrXEgYsE1NZX6RA7XbvIdSj9q0qzjM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625241555; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=XI/+RLNcOZRL3x9ImO4jyG/hJF8EqE05K9qsRROWbv8=; b=l+h/PYHREn87cK3GatxPr8Tx2S/Qn5K/kKfAR6F00xbLv5vrOnnllcWlB4VzTEWk8EQVmNvuHL1vYI1M50NaXXt8NtFcmNPj/DKTKL3c10uHjz87nX+q9VYwAqa5sLAzZedT8EmIVdrBhHGH9vtvg+6m9biISP9/CMg798/hexU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.51 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.zohomail.com with SMTPS id 1625241555352537.0704767986847; Fri, 2 Jul 2021 08:59:15 -0700 (PDT) Received: by mail-wr1-f51.google.com with SMTP id m18so13065571wrv.2 for ; Fri, 02 Jul 2021 08:59:14 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.Ascou-CH1 (pop.92-184-108-23.mobile.abo.orange.fr. [92.184.108.23]) by smtp.gmail.com with ESMTPSA id p16sm3559040wrs.52.2021.07.02.08.59.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Jul 2021 08:59:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=XI/+RLNcOZRL3x9ImO4jyG/hJF8EqE05K9qsRROWbv8=; b=A8Ro89JPYfcDN835ciSNyfD5YervCwIvX2gZUkgvX3W7GrfUAJbZb87jafGQjlffBo 08LQOGdxSg8Sbz0JmwatBoD3qMYo+i0WTDzyIZwg+Jioi52DJAngNt4xO7mOM5ehlrLT MYZikWnTve+JI5pnPZQAW6GM+10cdiOcc4o4iF+tsr1zw47qIHuYYo7TA5AVnTH3V4Qh W8OickJHhaG4RSAXpb3ODJ7HMrv12eZzbXxPeGn0jXLrltrW6zCVsVsKRzxw+Ko26FIl 9vr8fkml8wWUB2SgMQFj4SsajDNi4gULUszrD21DiUBeRy8XlO/U/i3vbu2pMdRRodmV W1iQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=XI/+RLNcOZRL3x9ImO4jyG/hJF8EqE05K9qsRROWbv8=; b=odcXJRDq1ZGhkLgs9Sebbdsb90RyPopveU8XoJSQiZSoAsZiHJnBGiQQYknRTSPC/q TaFIhpzcYnv8NodhF6ik74qu2a/zIqVmr0MIZa2XEETrw6KPRQV/YNzhPuUw/GERcqU5 wozE3NDsufp+r2Jeia6yZOcPt/8MkLoyGOZ53djs/O7RJI/I3vSjv5Aaeb54rUjK47Pi cb1quYHKnHB66ok2U4e2h/9ChNwBxAgdJm1nWZ88HzLhVYUHYoGfp0/Nc0yIDeeg5YpF JMMv5VQCJpo1mllRS6wM8eHZq+/7JRyVsKzF+gF/eutAwXYj6V5k+evJUT0nCG+hv5Qo chmA== X-Gm-Message-State: AOAM5332Cn1FmMbonbTRThL8g6zUIaopc6xcht38pDsu+jmuFzh309O0 agc6M4M7F64i9pDKZV1f6h0= X-Google-Smtp-Source: ABdhPJwtTbVVjQ1W2ll43RNguZT5N1bkrhT88ZwnatNXr0G+jwvPyvBlR30OzrV8+zWqYuw0uw7BCA== X-Received: by 2002:adf:d1cd:: with SMTP id b13mr387631wrd.228.1625241553661; Fri, 02 Jul 2021 08:59:13 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Alexander Bulekov , Michael Olbrich , Bin Meng , Thomas Huth , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Bin Meng Subject: [PATCH 2/3] hw/sd: Extract address_in_range() helper, log invalid accesses Date: Fri, 2 Jul 2021 17:58:59 +0200 Message-Id: <20210702155900.148665-3-f4bug@amsat.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210702155900.148665-1-f4bug@amsat.org> References: <20210702155900.148665-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1625241557453100001 Multiple commands have to check the address requested is valid. Extract this code pattern as a new address_in_range() helper, and log invalid accesses as guest errors. Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Bin Meng Message-Id: <20210624142209.1193073-3-f4bug@amsat.org> --- hw/sd/sd.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index d8fdf84f4db..9c8dd11bad1 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -937,6 +937,18 @@ static void sd_lock_command(SDState *sd) sd->card_status &=3D ~CARD_IS_LOCKED; } =20 +static bool address_in_range(SDState *sd, const char *desc, + uint64_t addr, uint32_t length) +{ + if (addr + length > sd->size) { + qemu_log_mask(LOG_GUEST_ERROR, "%s offset %lu > card %lu [%%%u]\n", + desc, addr, sd->size, length); + sd->card_status |=3D ADDRESS_ERROR; + return false; + } + return true; +} + static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) { uint32_t rca =3D 0x0000; @@ -1218,8 +1230,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S= DRequest req) switch (sd->state) { case sd_transfer_state: =20 - if (addr + sd->blk_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) { return sd_r1; } =20 @@ -1264,8 +1275,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S= DRequest req) switch (sd->state) { case sd_transfer_state: =20 - if (addr + sd->blk_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) { return sd_r1; } =20 @@ -1325,8 +1335,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S= DRequest req) =20 switch (sd->state) { case sd_transfer_state: - if (addr >=3D sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) { return sd_r1b; } =20 @@ -1348,8 +1357,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S= DRequest req) =20 switch (sd->state) { case sd_transfer_state: - if (addr >=3D sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) { return sd_r1b; } =20 @@ -1826,8 +1834,8 @@ void sd_write_byte(SDState *sd, uint8_t value) case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ if (sd->data_offset =3D=3D 0) { /* Start of the block - let's check the address is valid */ - if (sd->data_start + sd->blk_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK", + sd->data_start, sd->blk_len)) { break; } if (sd->size <=3D SDSC_MAX_CAPACITY) { @@ -1999,8 +2007,8 @@ uint8_t sd_read_byte(SDState *sd) =20 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ if (sd->data_offset =3D=3D 0) { - if (sd->data_start + io_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "READ_MULTIPLE_BLOCK", + sd->data_start, io_len)) { return 0x00; } BLK_READ_BLOCK(sd->data_start, io_len); --=20 2.31.1 From nobody Mon Feb 9 19:09:06 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.128.47 as permitted sender) client-ip=209.85.128.47; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-f47.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.47 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1625241560; cv=none; d=zohomail.com; s=zohoarc; b=n0z4WLB74L68FmF2W77EBGzvBcPA/kKai445UTI4HAdJiGlIYvHyaTsKLU3mZwTZZ98SS0cNbKoh5RKt/gbZgI/Ma6wRHnMHSckAWINBUvMH1F7ow35WzNNjOdC1h/DlOwmsZFhxcVDqUrv0nL0xHKCOgexoruaf/+xdPnToQqc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625241560; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=eEFMkPrEpfTYMfcx+GauUTLFahHxPHQ6xFUWavBNufI=; b=aPRRobmPEIf3RSVGNl5ddfFRVcyH0SYKAzPusRHtBtBz6w1fH5pg8rhXHjl4tLevcFS04sYG6H0GuI/Dd7CA4grQM3pvoX7fyoZuU6SshXPoWMwn44Rc06F5ynSHquSCL39ntrRWf2kceq04iEOnaAaMKZH/JUMe0toMlTJv2Ag= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.47 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.zohomail.com with SMTPS id 1625241560485707.9304866298806; Fri, 2 Jul 2021 08:59:20 -0700 (PDT) Received: by mail-wm1-f47.google.com with SMTP id g10so1134885wmh.2 for ; Fri, 02 Jul 2021 08:59:19 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.Ascou-CH1 (pop.92-184-108-23.mobile.abo.orange.fr. [92.184.108.23]) by smtp.gmail.com with ESMTPSA id f2sm3703287wrq.69.2021.07.02.08.59.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Jul 2021 08:59:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=eEFMkPrEpfTYMfcx+GauUTLFahHxPHQ6xFUWavBNufI=; b=c8eKygzMbnVXK4KgfTLLkqXgztOogIDHqCfCPFkG3pDX1rOD5WPWRh7VipIBv/G6EY /1Cjk0XzxhkhO5X/oLmX1EnujkUNj/xMhgMO3ckpiYqZ+ph+pBHJ1GcuAd6A5mfA/PdG f1ei1ULqPlQivqKF6PP8bsXXIXFc/H05KM+kXyQr3JR3TjKxALwTqWZI52NxKBt9c573 Xo//qwlfU+a8sFzQfCtq1534wMkSryIAJ/5Lg2BL4o3ZFdOLFOAubYWXuqYvN9sv6DHV F7adR9y1PtHe2ENF5lVJgoNPFcRvWfwSV+JBXBjmZbT/Hs1ZaDnlNhtwoCTJg4O50yA7 qNaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=eEFMkPrEpfTYMfcx+GauUTLFahHxPHQ6xFUWavBNufI=; b=YKUefZcgJNKunC+LLMwZoFNo1qTt9qM8F34cMoBpstfmm/iwNmMCmNe5FIY3vyHhYR kISQdoRN/jlEam+A29d2s1GwTEEe1OEiTOolI3MFVisToQxAnAx/I39bkZo+nvkHdgJh WXB0DU1ReObUMarMt7GeN/wAxfpeLXrG+KLETnN1UVvq3mUZL0ICa+WY/bzvGIZl5qup X6Ya6uEZETIvH1FE1+vNA0H7AGRF3UV86lKrTdTVi8ABBmNgIiubpUzteQzhQauwBZ0N V0EXX+DLhpYhaY0RbE7/u2lyuhiSkNEzCLJqjCKcqlQHCxCef4KA3ZZGBkwmD9Hu/EEk 1WAA== X-Gm-Message-State: AOAM532O2F+durbKPVPRPQa8k9ECoNogPZiPrZQjcpbpiqGp7MGS6vf1 YrcdEszjExV0MDnhqxBOxnkiP87DcphhzQ== X-Google-Smtp-Source: ABdhPJzeNHwAr4shu1i8Ebqt7VAIg+pp3ZAdcAR/oO1aLXUBQrk7YLSItOLrYAJWwO5bHPztqkLkqg== X-Received: by 2002:a05:600c:4111:: with SMTP id j17mr456000wmi.187.1625241558746; Fri, 02 Jul 2021 08:59:18 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Alexander Bulekov , Michael Olbrich , Bin Meng , Thomas Huth , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30) Date: Fri, 2 Jul 2021 17:59:00 +0200 Message-Id: <20210702155900.148665-4-f4bug@amsat.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210702155900.148665-1-f4bug@amsat.org> References: <20210702155900.148665-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1625241561793100001 OSS-Fuzz found sending illegal addresses when querying the write protection bits triggers an assertion: qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): = Assertion `wpnum < sd->wpgrps_size' failed. =3D=3D11578=3D=3D ERROR: libFuzzer: deadly signal #8 0x7ffff628e091 in __assert_fail #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9 #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38 #11 0x5555588d777c in sd_do_command hw/sd/sd.c #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16 #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12 #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9 #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5 Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check for multi block reads"), check the address range before sending the status of the write protection bits. Include the qtest reproducer provided by Alexander Bulekov: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wp= grps_size' failed. Reported-by: OSS-Fuzz (Issue 29225) Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450 Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Alexander Bulekov Reviewed-by: Bin Meng --- hw/sd/sd.c | 5 +++ tests/qtest/fuzz-sdcard-test.c | 66 ++++++++++++++++++++++++++++++++++ MAINTAINERS | 3 +- tests/qtest/meson.build | 1 + 4 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 tests/qtest/fuzz-sdcard-test.c diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 9c8dd11bad1..c753ae24ba9 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1379,6 +1379,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, = SDRequest req) =20 switch (sd->state) { case sd_transfer_state: + if (!address_in_range(sd, "SEND_WRITE_PROT", + req.arg, sd->blk_len)) { + return sd_r1; + } + sd->state =3D sd_sendingdata_state; *(uint32_t *) sd->data =3D sd_wpbits(sd, req.arg); sd->data_start =3D addr; diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c new file mode 100644 index 00000000000..96602eac7e5 --- /dev/null +++ b/tests/qtest/fuzz-sdcard-test.c @@ -0,0 +1,66 @@ +/* + * QTest fuzzer-generated testcase for sdcard device + * + * Copyright (c) 2021 Philippe Mathieu-Daud=C3=A9 + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "libqos/libqtest.h" + +/* + * https://gitlab.com/qemu-project/qemu/-/issues/450 + * Used to trigger: + * Assertion `wpnum < sd->wpgrps_size' failed. + */ +static void oss_fuzz_29225(void) +{ + QTestState *s; + + s =3D qtest_init(" -display none -m 512m -nodefaults -nographic" + " -device sdhci-pci,sd-spec-version=3D3" + " -device sd-card,drive=3Dd0" + " -drive if=3Dnone,index=3D0,file=3Dnull-co://,format= =3Draw,id=3Dd0"); + + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xd0690); + qtest_outl(s, 0xcf8, 0x80001003); + qtest_outl(s, 0xcf8, 0x80001013); + qtest_outl(s, 0xcfc, 0xffffffff); + qtest_outl(s, 0xcf8, 0x80001003); + qtest_outl(s, 0xcfc, 0x3effe00); + + qtest_bufwrite(s, 0xff0d062c, "\xff", 0x1); + qtest_bufwrite(s, 0xff0d060f, "\xb7", 0x1); + qtest_bufwrite(s, 0xff0d060a, "\xc9", 0x1); + qtest_bufwrite(s, 0xff0d060f, "\x29", 0x1); + qtest_bufwrite(s, 0xff0d060f, "\xc2", 0x1); + qtest_bufwrite(s, 0xff0d0628, "\xf7", 0x1); + qtest_bufwrite(s, 0x0, "\xe3", 0x1); + qtest_bufwrite(s, 0x7, "\x13", 0x1); + qtest_bufwrite(s, 0x8, "\xe3", 0x1); + qtest_bufwrite(s, 0xf, "\xe3", 0x1); + qtest_bufwrite(s, 0xff0d060f, "\x03", 0x1); + qtest_bufwrite(s, 0xff0d0605, "\x01", 0x1); + qtest_bufwrite(s, 0xff0d060b, "\xff", 0x1); + qtest_bufwrite(s, 0xff0d060c, "\xff", 0x1); + qtest_bufwrite(s, 0xff0d060e, "\xff", 0x1); + qtest_bufwrite(s, 0xff0d060f, "\x06", 0x1); + qtest_bufwrite(s, 0xff0d060f, "\x9e", 0x1); + + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + const char *arch =3D qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") =3D=3D 0) { + qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225); + } + + return g_test_run(); +} diff --git a/MAINTAINERS b/MAINTAINERS index cfbf7ef79bc..fb33fe12200 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1794,7 +1794,8 @@ F: include/hw/sd/sd* F: hw/sd/core.c F: hw/sd/sd* F: hw/sd/ssi-sd.c -F: tests/qtest/sd* +F: tests/qtest/fuzz-sdcard-test.c +F: tests/qtest/sdhci-test.c =20 USB M: Gerd Hoffmann diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index b03e8541700..1bb75ee7324 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -21,6 +21,7 @@ (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-= test'] : []) + \ (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-t= est'] : []) + \ (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \ + (config_all_devices.has_key('CONFIG_SDHCI_PCI') ? ['fuzz-sdcard-test'] := []) + \ [ 'cdrom-test', 'device-introspect-test', --=20 2.31.1