From nobody Mon Feb  9 14:34:35 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of _spf.google.com designates
 209.85.128.54 as permitted sender) client-ip=209.85.128.54;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-f54.google.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.54 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1626037873; cv=none;
	d=zohomail.com; s=zohoarc;
	b=OQD5BeHiy+TtoWd9zTlWn4Xmy8/jX8EehGbqwceFfy4rq57OwpRIAyFvcRKS1gl9rN13vzzWAzTMtd1bILdW7qK3iZtaREjKI9eIg+qnxwlNUIDqPZaUy0uiOHwWhP/51qHryz6+FjJ0f1c8DfKQXYD1gbVTpUJYGS3OzG+MiSo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626037873;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=9b99qKkXqy4QpriYCi8x0HuIidGuJL8c4prBnCRgJws=;
	b=X4qyNRoLMUqdlkfT0fWPFbXbeSBkfF2Q72a8gbaoaBMV7IlKPTkOzC5s78hgJ9G3GBFRy5ku3yeF7cG6QHN63sA3LoZQDha/RfpE7Bnn5Fua0yANOUoVoZ8RJgp9OzcL6ujhYB248VU5+RQk9Lj3h021G7vqS6yblKFjpQeNgBU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.54 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54]) by mx.zohomail.com
	with SMTPS id 1626037873816774.1392337000959;
 Sun, 11 Jul 2021 14:11:13 -0700 (PDT)
Received: by mail-wm1-f54.google.com with SMTP id
 b14-20020a1c1b0e0000b02901fc3a62af78so12892127wmb.3
        for <importer@patchew.org>; Sun, 11 Jul 2021 14:11:13 -0700 (PDT)
Return-Path: <philippe.mathieu.daude@gmail.com>
Return-Path: <philippe.mathieu.daude@gmail.com>
Received: from localhost.localdomain
 (abayonne-654-1-142-116.w86-222.abo.wanadoo.fr. [86.222.93.116])
        by smtp.gmail.com with ESMTPSA id
 b12sm12305034wrx.60.2021.07.11.14.11.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 11 Jul 2021 14:11:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=9b99qKkXqy4QpriYCi8x0HuIidGuJL8c4prBnCRgJws=;
        b=lQOS89ovG4IC82kq80G3tHBqOIahtLrTUN7pt9z+nih0+FpwqWbv6ut6BWDSS7PCAB
         TiMxnWb/7zzpMI/woeulirTZOlcO4CKloIFlVud+HnTqbJ1my3NR3Eaoo1tugOnYCLel
         KeWjCAbaPfktZsgcMYqcuxlGXwRodw9Qg8gt6AoMoofsssBP/3QUKweqBfLnikI0NWdP
         scXeE1Kl6ajufsi7ZAEbXdMLCthGYY0YEfrZOoul60EsdHYu4O1SC2lD+5tXgY5JTU4w
         UJnuxTVdzOOe4EHUqgxyhuHh3Pr8B5bAIlX4+6i/qYlT17eb6mMgJdggCB6URUpbelJg
         7hnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :in-reply-to:references:mime-version:content-transfer-encoding;
        bh=9b99qKkXqy4QpriYCi8x0HuIidGuJL8c4prBnCRgJws=;
        b=jIxye8oDYvFIq1PHo8vEgdGIZUWA2o2GD6XKoUzMp7SwOkXwSeKDn9/dg1rV3nzTwB
         jvm+SZJMQ+DfzrgrtFOLutKwIkLUR0e5a3Va5thTYO1Z7wkcs8ZtdpY9MEP7ztIkSipu
         jKcnVBO/ACHWKzyvKwOieHmBisUmGVl1/UlyVUiLF1DpVG3OoBT9S9iy71t8F2adEG8p
         rSlrB8Jn2+Gvp3OFzi6RMPPKOQtN/YfNDy9Whhs7OAHkqlg1l0qMmACEQYY6yy6yFc5H
         4rqWbdqOrRyNrPF4MT1IxgucWFMolJ81oNM2KZL7RY7mA99hupwTzVNzJzpg+PLTn5eW
         djKw==
X-Gm-Message-State: AOAM532XE7C6yvMqB9L9TtJsQy95VHsjC+JCVJMPjPyGGrIhFSXlH33d
	nW6CnJosvy+TsM79XGd8MUo=
X-Google-Smtp-Source: 
 ABdhPJxnfZSy4hBwqrJmhtGA+aFtv96ZDZrCJiAn/XlE5OyXiL4weD1PG9qmQEyD9YyzwMgNwe1Uyw==
X-Received: by 2002:a7b:ce82:: with SMTP id q2mr10613546wmj.60.1626037872104;
        Sun, 11 Jul 2021 14:11:12 -0700 (PDT)
Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?=
 <philippe.mathieu.daude@gmail.com>
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: Bin Meng <bin.meng@windriver.com>,
	Alexander Bulekov <alxndr@bu.edu>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>,
	Bin Meng <bmeng.cn@gmail.com>
Subject: [PULL 1/4] hw/sd/sdcard: When card is in wrong state,
 log which state it is
Date: Sun, 11 Jul 2021 23:10:54 +0200
Message-Id: <20210711211057.2714586-2-f4bug@amsat.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210711211057.2714586-1-f4bug@amsat.org>
References: <20210711211057.2714586-1-f4bug@amsat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @gmail.com)
X-ZM-MESSAGEID: 1626037874248100001

We report the card is in an inconsistent state, but don't precise
in which state it is. Add this information, as it is useful when
debugging problems.

Signed-off-by: Philippe Mathieu-Daud=C3=A9 <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210624142209.1193073-2-f4bug@amsat.org>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
---
 hw/sd/sd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 282d39a7042..d8fdf84f4db 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1504,7 +1504,8 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S=
DRequest req)
         return sd_illegal;
     }
=20
-    qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd=
);
+    qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n",
+                  req.cmd, sd_state_name(sd->state));
     return sd_illegal;
 }
=20
--=20
2.31.1

From nobody Mon Feb  9 14:34:35 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of _spf.google.com designates
 209.85.128.53 as permitted sender) client-ip=209.85.128.53;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-f53.google.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.53 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1626037880; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DJpUwpggBBs0Oj33X9uRY7VlTB3iVXyP3x+9c/i3q7dQkNeS4oUchRE1mhE0GOfrlmVygqr1yTvISaWXkEd38TqzVTzcKp1ZxBsgyj6Q2I67C3RHA5Ol92g/Ana3+P3cTc2SMLMPHd+RHRx+sB7lgpBpheZ/NpGAjZR42ejS0RY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626037880;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=XI/+RLNcOZRL3x9ImO4jyG/hJF8EqE05K9qsRROWbv8=;
	b=ES0cN3avfTx0kziWrnnd75UsrIh/bGSaPWKYt1SnTFiKPxy9S06erV1oFfyIkYAwSsSofUf0k+jlmTL6N4not1GfYtTfEfD0JZqXII2DEOT8AJUW97p0ScK1262i7wkENeQD1NqX2N4uF/DBIsccbBozhPRkI+euYIBwNhWryOM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.53 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com
 [209.85.128.53]) by mx.zohomail.com
	with SMTPS id 1626037880533917.3846875112584;
 Sun, 11 Jul 2021 14:11:20 -0700 (PDT)
Received: by mail-wm1-f53.google.com with SMTP id g12so2140806wme.2
        for <importer@patchew.org>; Sun, 11 Jul 2021 14:11:19 -0700 (PDT)
Return-Path: <philippe.mathieu.daude@gmail.com>
Return-Path: <philippe.mathieu.daude@gmail.com>
Received: from localhost.localdomain
 (abayonne-654-1-142-116.w86-222.abo.wanadoo.fr. [86.222.93.116])
        by smtp.gmail.com with ESMTPSA id
 j10sm12080523wrt.35.2021.07.11.14.11.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 11 Jul 2021 14:11:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=XI/+RLNcOZRL3x9ImO4jyG/hJF8EqE05K9qsRROWbv8=;
        b=a2ZcGy3j1BlVyykZaA8ubL8iGR3DGuvqa+1MV3KO70cT06t+u+jol/CmMwBIQeevp1
         7HqaqVpCm94anwkRrbf0An7VCwaK3gZFB/IPZZSpS2ze4A0lq5kv1qOey7GaR3i+JlVn
         At9RmltowyGCKVf8cYBjelUSmI5Wf68nm3IokkiE0qNgVHMEmg0GKl60MM7F/2FyCepM
         kPKxaU3EJ5wEYsUhJicycN1rfu2lwG0zix+PkAABiEfCQpIQyAXi/hIU4O9QXM2OVXq2
         OEFkP1vkTw5KRWD4Um/gn4pGH2A94iF3D8nYljWfm+jZFnNuTbZGmnrjXI2AYynbJgsY
         AXnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :in-reply-to:references:mime-version:content-transfer-encoding;
        bh=XI/+RLNcOZRL3x9ImO4jyG/hJF8EqE05K9qsRROWbv8=;
        b=P+Ih/A1S98ZmbapzoI8Zjb6ZSOBzA9L98dIF6RX1vzj7KfJZay7oZ3l+JiDg+wyccG
         u8KRFDY3NDCnt7vO8KH/0YVUxzvMMZ70tGVm5f7y6aPJQoSnVqhMyBbPtz9rPH3yD449
         yXTyUHmfscxQ+9HyPGEIoSYCNyCxdtsBRY7yRIV6dnP0yLPyaIYphEQGE2xFsyhXYG8W
         u4HAfK5Wc2GbPZTlPibmFeibENK57uFDPuYF6EFSYsj4Heyb5WeEIHEMPgBF8g2S4ZrA
         PZg+XJrlGZovG4DB22HkLM992IkOC3tOfRU7XpkqgdiSwGFQm9LEm8lpPVH9LK/D3z0b
         liHg==
X-Gm-Message-State: AOAM532VceSMvC8KTEnwBFlbrxZANKDNv7aB/zLfU8J8Huix0AxTdK6l
	i9KuBuSslXbFxMmvNz4XRWw=
X-Google-Smtp-Source: 
 ABdhPJyYUHp92bNkOGe3HrpRtxW4ll2j6PCGfylNMnrGzgyxiAC0KGX1ch61BYSLe5f9+cDrkk349Q==
X-Received: by 2002:a7b:c113:: with SMTP id w19mr10910006wmi.44.1626037878792;
        Sun, 11 Jul 2021 14:11:18 -0700 (PDT)
Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?=
 <philippe.mathieu.daude@gmail.com>
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: Bin Meng <bin.meng@windriver.com>,
	Alexander Bulekov <alxndr@bu.edu>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>,
	Bin Meng <bmeng.cn@gmail.com>
Subject: [PULL 2/4] hw/sd/sdcard: Extract address_in_range() helper,
 log invalid accesses
Date: Sun, 11 Jul 2021 23:10:55 +0200
Message-Id: <20210711211057.2714586-3-f4bug@amsat.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210711211057.2714586-1-f4bug@amsat.org>
References: <20210711211057.2714586-1-f4bug@amsat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @gmail.com)
X-ZM-MESSAGEID: 1626037882584100001

Multiple commands have to check the address requested is valid.
Extract this code pattern as a new address_in_range() helper, and
log invalid accesses as guest errors.

Signed-off-by: Philippe Mathieu-Daud=C3=A9 <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210624142209.1193073-3-f4bug@amsat.org>
---
 hw/sd/sd.c | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index d8fdf84f4db..9c8dd11bad1 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -937,6 +937,18 @@ static void sd_lock_command(SDState *sd)
         sd->card_status &=3D ~CARD_IS_LOCKED;
 }
=20
+static bool address_in_range(SDState *sd, const char *desc,
+                             uint64_t addr, uint32_t length)
+{
+    if (addr + length > sd->size) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s offset %lu > card %lu [%%%u]\n",
+                      desc, addr, sd->size, length);
+        sd->card_status |=3D ADDRESS_ERROR;
+        return false;
+    }
+    return true;
+}
+
 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 {
     uint32_t rca =3D 0x0000;
@@ -1218,8 +1230,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S=
DRequest req)
         switch (sd->state) {
         case sd_transfer_state:
=20
-            if (addr + sd->blk_len > sd->size) {
-                sd->card_status |=3D ADDRESS_ERROR;
+            if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
                 return sd_r1;
             }
=20
@@ -1264,8 +1275,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S=
DRequest req)
         switch (sd->state) {
         case sd_transfer_state:
=20
-            if (addr + sd->blk_len > sd->size) {
-                sd->card_status |=3D ADDRESS_ERROR;
+            if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
                 return sd_r1;
             }
=20
@@ -1325,8 +1335,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S=
DRequest req)
=20
         switch (sd->state) {
         case sd_transfer_state:
-            if (addr >=3D sd->size) {
-                sd->card_status |=3D ADDRESS_ERROR;
+            if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
                 return sd_r1b;
             }
=20
@@ -1348,8 +1357,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S=
DRequest req)
=20
         switch (sd->state) {
         case sd_transfer_state:
-            if (addr >=3D sd->size) {
-                sd->card_status |=3D ADDRESS_ERROR;
+            if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
                 return sd_r1b;
             }
=20
@@ -1826,8 +1834,8 @@ void sd_write_byte(SDState *sd, uint8_t value)
     case 25:	/* CMD25:  WRITE_MULTIPLE_BLOCK */
         if (sd->data_offset =3D=3D 0) {
             /* Start of the block - let's check the address is valid */
-            if (sd->data_start + sd->blk_len > sd->size) {
-                sd->card_status |=3D ADDRESS_ERROR;
+            if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
+                                  sd->data_start, sd->blk_len)) {
                 break;
             }
             if (sd->size <=3D SDSC_MAX_CAPACITY) {
@@ -1999,8 +2007,8 @@ uint8_t sd_read_byte(SDState *sd)
=20
     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
         if (sd->data_offset =3D=3D 0) {
-            if (sd->data_start + io_len > sd->size) {
-                sd->card_status |=3D ADDRESS_ERROR;
+            if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
+                                  sd->data_start, io_len)) {
                 return 0x00;
             }
             BLK_READ_BLOCK(sd->data_start, io_len);
--=20
2.31.1

From nobody Mon Feb  9 14:34:35 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of _spf.google.com designates
 209.85.221.44 as permitted sender) client-ip=209.85.221.44;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f44.google.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.44 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1626037885; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jJPo3LUvz8A3Axt1eI3TxJMCvlDY5wHwZQX+jP3L9vXvNtOWCm5eLGdgd9t+JHb2tuMackcpB7yer4N10hy+L1HMyi9z1+aOeDByq95awB6U1fujtk6wXf5A5wtFwjUBfhXIRsv1H89Jn8l5MqBqr67e1MLgRvvj+UGv4TMkrEg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626037885;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=eVIWfCIVMhcOo2kg3MCYw+w81wXdLPbXIbeUcYrRjBI=;
	b=E9cmo6eWCmEdKSrEE5/MLstQq0wFW4+KBWtW3Qd18gUtKJcoWdbfGtWE4CtdyaynPUJyNW1tr/KuMjmUF5LZyBGOYeMOzCLD5wzV4a9ntRj4Ccy4Ep05Jrfo/TZiAGHsZIVb5eqW6Q1Tq3aSKJ98yo8oPMVmJDnNHtLue4a5AOM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.44 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com
 [209.85.221.44]) by mx.zohomail.com
	with SMTPS id 1626037885418774.2768918486618;
 Sun, 11 Jul 2021 14:11:25 -0700 (PDT)
Received: by mail-wr1-f44.google.com with SMTP id l7so21180242wrv.7
        for <importer@patchew.org>; Sun, 11 Jul 2021 14:11:24 -0700 (PDT)
Return-Path: <philippe.mathieu.daude@gmail.com>
Return-Path: <philippe.mathieu.daude@gmail.com>
Received: from localhost.localdomain
 (abayonne-654-1-142-116.w86-222.abo.wanadoo.fr. [86.222.93.116])
        by smtp.gmail.com with ESMTPSA id
 x1sm19319556wmc.0.2021.07.11.14.11.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 11 Jul 2021 14:11:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=eVIWfCIVMhcOo2kg3MCYw+w81wXdLPbXIbeUcYrRjBI=;
        b=Y5FEBEx4LC/PaqkzZln8A6nTI0WC9RsJCt2Z8WnWHl24K2pH5ddckwIUDmtpaWQY+L
         LvIVisV9Hve7aL65+E8g6GNvRnhdi2ZbYZBaMde5gBzPG72mZ7/HTS7xao9eCL7aC7u7
         ZwPvHAN5ivipGR10hWmvskKYwEYg/QtrzQY3VLTNcqZDiWilDCnm9IFcbxNSJgDg9KC9
         iJzuPDOdq7x1Od6dxYduqHRf+xn2V3oo3wHsfsZQGqUGMJuJQfyqiWXquPnYrhLJyY8F
         MzTT+W23yhPvlxiNs4hc0xPDy4HeOeGki66OQob5HxwKi/ZEqjADNC81oP2LYhjaIhcv
         Cnqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :in-reply-to:references:mime-version:content-transfer-encoding;
        bh=eVIWfCIVMhcOo2kg3MCYw+w81wXdLPbXIbeUcYrRjBI=;
        b=tFvEUTplY8TMLie31skvYi4i3VjHITzUqkyo33daBTQpu/egoAXQvC78y91M6uNiGH
         l+F/+0PnrlpKt9R/2N2X7pYjyL7eeGJDHTC329jbawA3JKO0NF3CZ/YBNx3oGU2Kk8w1
         A6Wx6hvKaxN+jE9roRCbkBCsdvsvdXX0XZ07ao7BqxZjlqZSkIGZWinYA9uBXFK3EH4R
         EfEkCYvQL+zthxgRSorCWsHWp5QGtzzFEM/D2kh31ZWZMtKMLrrMg1hyUPWAuWGmMJyt
         uu60NPk2ldf9h0qUWWsTq5DoKWYJ8wKQF4fs9S/WQDF8BAsKahZv84T5lhwN51ySbPXP
         C7Og==
X-Gm-Message-State: AOAM532fpjPUFr2v/05OObGO3hEvnc8ojOD5irPObAzjZCz5BraOfjYM
	wR5Gh2MI5a45cLrZSjRyKf9m3K3SevWmd145
X-Google-Smtp-Source: 
 ABdhPJyDoe7hn4Zax/teBSPzhLF7mIju+2DW9zVfmCCB+HaSowPWqyktC+HNY/B/+ZRVsSPfFkTAeA==
X-Received: by 2002:a5d:64ac:: with SMTP id m12mr14857980wrp.89.1626037883688;
        Sun, 11 Jul 2021 14:11:23 -0700 (PDT)
Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?=
 <philippe.mathieu.daude@gmail.com>
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: Bin Meng <bin.meng@windriver.com>,
	Alexander Bulekov <alxndr@bu.edu>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>,
	Bin Meng <bmeng.cn@gmail.com>
Subject: [PULL 3/4] hw/sd/sdcard: Check for valid address range in
 SEND_WRITE_PROT (CMD30)
Date: Sun, 11 Jul 2021 23:10:56 +0200
Message-Id: <20210711211057.2714586-4-f4bug@amsat.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210711211057.2714586-1-f4bug@amsat.org>
References: <20210711211057.2714586-1-f4bug@amsat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @gmail.com)
X-ZM-MESSAGEID: 1626037886617100001

OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers an assertion:

  qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): =
Assertion `wpnum < sd->wpgrps_size' failed.
  =3D=3D11578=3D=3D ERROR: libFuzzer: deadly signal
  #8 0x7ffff628e091 in __assert_fail
  #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9
  #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38
  #11 0x5555588d777c in sd_do_command hw/sd/sd.c
  #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16
  #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12
  #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9
  #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5

Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check
for multi block reads"), check the address range before sending
the status of the write protection bits.

Include the qtest reproducer provided by Alexander Bulekov:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wp=
grps_size' failed.

Reported-by: OSS-Fuzz (Issue 29225)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210702155900.148665-4-f4bug@amsat.org>
---
 hw/sd/sd.c                     |  5 +++
 tests/qtest/fuzz-sdcard-test.c | 66 ++++++++++++++++++++++++++++++++++
 MAINTAINERS                    |  3 +-
 tests/qtest/meson.build        |  1 +
 4 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 tests/qtest/fuzz-sdcard-test.c

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 9c8dd11bad1..c753ae24ba9 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1379,6 +1379,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, =
SDRequest req)
=20
         switch (sd->state) {
         case sd_transfer_state:
+            if (!address_in_range(sd, "SEND_WRITE_PROT",
+                                  req.arg, sd->blk_len)) {
+                return sd_r1;
+            }
+
             sd->state =3D sd_sendingdata_state;
             *(uint32_t *) sd->data =3D sd_wpbits(sd, req.arg);
             sd->data_start =3D addr;
diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c
new file mode 100644
index 00000000000..96602eac7e5
--- /dev/null
+++ b/tests/qtest/fuzz-sdcard-test.c
@@ -0,0 +1,66 @@
+/*
+ * QTest fuzzer-generated testcase for sdcard device
+ *
+ * Copyright (c) 2021 Philippe Mathieu-Daud=C3=A9 <f4bug@amsat.org>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "libqos/libqtest.h"
+
+/*
+ * https://gitlab.com/qemu-project/qemu/-/issues/450
+ * Used to trigger:
+ *  Assertion `wpnum < sd->wpgrps_size' failed.
+ */
+static void oss_fuzz_29225(void)
+{
+    QTestState *s;
+
+    s =3D qtest_init(" -display none -m 512m -nodefaults -nographic"
+                   " -device sdhci-pci,sd-spec-version=3D3"
+                   " -device sd-card,drive=3Dd0"
+                   " -drive if=3Dnone,index=3D0,file=3Dnull-co://,format=
=3Draw,id=3Dd0");
+
+    qtest_outl(s, 0xcf8, 0x80001010);
+    qtest_outl(s, 0xcfc, 0xd0690);
+    qtest_outl(s, 0xcf8, 0x80001003);
+    qtest_outl(s, 0xcf8, 0x80001013);
+    qtest_outl(s, 0xcfc, 0xffffffff);
+    qtest_outl(s, 0xcf8, 0x80001003);
+    qtest_outl(s, 0xcfc, 0x3effe00);
+
+    qtest_bufwrite(s, 0xff0d062c, "\xff", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\xb7", 0x1);
+    qtest_bufwrite(s, 0xff0d060a, "\xc9", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\x29", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\xc2", 0x1);
+    qtest_bufwrite(s, 0xff0d0628, "\xf7", 0x1);
+    qtest_bufwrite(s, 0x0, "\xe3", 0x1);
+    qtest_bufwrite(s, 0x7, "\x13", 0x1);
+    qtest_bufwrite(s, 0x8, "\xe3", 0x1);
+    qtest_bufwrite(s, 0xf, "\xe3", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\x03", 0x1);
+    qtest_bufwrite(s, 0xff0d0605, "\x01", 0x1);
+    qtest_bufwrite(s, 0xff0d060b, "\xff", 0x1);
+    qtest_bufwrite(s, 0xff0d060c, "\xff", 0x1);
+    qtest_bufwrite(s, 0xff0d060e, "\xff", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\x06", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\x9e", 0x1);
+
+    qtest_quit(s);
+}
+
+int main(int argc, char **argv)
+{
+    const char *arch =3D qtest_get_arch();
+
+    g_test_init(&argc, &argv, NULL);
+
+   if (strcmp(arch, "i386") =3D=3D 0) {
+        qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225);
+   }
+
+   return g_test_run();
+}
diff --git a/MAINTAINERS b/MAINTAINERS
index 40d095dbbde..0e4e3761ebc 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1824,7 +1824,8 @@ F: include/hw/sd/sd*
 F: hw/sd/core.c
 F: hw/sd/sd*
 F: hw/sd/ssi-sd.c
-F: tests/qtest/sd*
+F: tests/qtest/fuzz-sdcard-test.c
+F: tests/qtest/sdhci-test.c
=20
 USB
 M: Gerd Hoffmann <kraxel@redhat.com>
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index ee7347b7275..e22a0792c58 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -21,6 +21,7 @@
   (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-=
test'] : []) + \
   (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-t=
est'] : []) + \
   (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \
+  (config_all_devices.has_key('CONFIG_SDHCI_PCI') ? ['fuzz-sdcard-test'] :=
 []) + \
   [
   'cdrom-test',
   'device-introspect-test',
--=20
2.31.1

From nobody Mon Feb  9 14:34:35 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of _spf.google.com designates
 209.85.221.49 as permitted sender) client-ip=209.85.221.49;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f49.google.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.49 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1626037890; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PjBsfKeGdlKbiA4O2G4WfkrF0VdTo96XKtZUUwTng0J6zxKoDwYrnUnO5rHMnXGU/ErhSF+DNM7gMgLB8lmLrX87bPy7/Ry40iKs2Zqd4xJdYxqFilUy89zJUuw38s+Ggt4YdzWLf3KPhlMJG3LgByKfe9sBgDIqVL7hxQGB/OQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626037890;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=ullh4nTE/uo1kNH6VLUCVAcg39XDupueIapcLcg3Jo0=;
	b=TxLS/Hfjmm7IPUKOG2x+3BieVGkE3f/233oxWbrenF5M7LwfghkIlqY296dspMhWXAMeMT3iMRRJzJ7gUEO+JnjSVvPlqtFSFYZiIAjGHH+hLL8WzmYy34y9fxCdst2NnD0Dky8mgXq9K2pcp5grst4gUdDRWImgrJl5R61TnMs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.49 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com
Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com
 [209.85.221.49]) by mx.zohomail.com
	with SMTPS id 1626037890772937.5503493176576;
 Sun, 11 Jul 2021 14:11:30 -0700 (PDT)
Received: by mail-wr1-f49.google.com with SMTP id f17so22128535wrt.6
        for <importer@patchew.org>; Sun, 11 Jul 2021 14:11:30 -0700 (PDT)
Return-Path: <philippe.mathieu.daude@gmail.com>
Return-Path: <philippe.mathieu.daude@gmail.com>
Received: from localhost.localdomain
 (abayonne-654-1-142-116.w86-222.abo.wanadoo.fr. [86.222.93.116])
        by smtp.gmail.com with ESMTPSA id
 r67sm6437805wma.6.2021.07.11.14.11.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 11 Jul 2021 14:11:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=ullh4nTE/uo1kNH6VLUCVAcg39XDupueIapcLcg3Jo0=;
        b=ZQ29LSe8cYx6Wp0uomFQdo7ITLTGZB1D72T4f1qxpVp27ChQu+nDCJ9wFhy/JkiD1S
         0ISFvqJqw/no6qeZdEakC+BD/bkFt6ewEGJ8Gm+CE0OhDsrXW9edseWLbYGKtw8G5o8x
         F9iNSQppeo2znsnc9gF0ojthNMS6gRG0Hl3UBUFUxlIvH2wJeVpd1oWkcopfKLZ83b0i
         U7pbWKEThnjFhIkiPcWV+aXkeCDL3eyQz/UqD4ZbNZyjxQ3ZD6DmldfC6uvWFWAYEqXj
         JvtoHGJHk0Iblaj2L3+peta65IY0AYJXd+VCdc1zE74prMPW199ngyFjup2Gs6H3TNS9
         knbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :in-reply-to:references:mime-version:content-transfer-encoding;
        bh=ullh4nTE/uo1kNH6VLUCVAcg39XDupueIapcLcg3Jo0=;
        b=Ck/zpH0Jk7D6Iy5O0Xo1PwV2USWH8MKpR3WJzfJN/fYU2Ny3he4ZpW4umbb5FRlNe5
         CNiMxFzu/HvtnBI0V1XrNHZ245if76PrOjeRMQuhZ9gvtu0I3yiPhSMB90FPtQQZDy0d
         PuDSXnzHz1aMKpBXd+7h0rxNHljvJiWsUBkn1UK35meS8STvPRwMyPIoIFzJsIYBw+8s
         0uzY7oQn0KV0j95zWjLzBKFr7mLnpsFSQZM+SS/yLICXosLrAOe8IvcselYpntzqDGuo
         0rvKY1mbVIsZsa/gv3yZcfav98Qb9lQuPhMo9XN+GR0WofMO3WeLFue+2y0wZuHknQGj
         H7YA==
X-Gm-Message-State: AOAM531BSnBrKiCbpA5DJchKAxPDindVSgdzz9vY5oQa577eHrXmH92W
	Tg4zvjfKb4bRI6ugseuLFyk=
X-Google-Smtp-Source: 
 ABdhPJxddhKwt7gi1JUoeBk/ro0ZesDzru6hin49YYInA89v+gpQs4deSfW6/mM5e29cwgMGPIVtVA==
X-Received: by 2002:a5d:4bc6:: with SMTP id l6mr17164463wrt.53.1626037888969;
        Sun, 11 Jul 2021 14:11:28 -0700 (PDT)
Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?=
 <philippe.mathieu.daude@gmail.com>
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: Bin Meng <bin.meng@windriver.com>,
	Alexander Bulekov <alxndr@bu.edu>,
	Joanne Koong <joannekoong@gmail.com>,
	Bin Meng <bmeng.cn@gmail.com>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Subject: [PULL 4/4] hw/sd: sdhci: Enable 64-bit system bus capability in the
 default SD/MMC host controller
Date: Sun, 11 Jul 2021 23:10:57 +0200
Message-Id: <20210711211057.2714586-5-f4bug@amsat.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210711211057.2714586-1-f4bug@amsat.org>
References: <20210711211057.2714586-1-f4bug@amsat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @gmail.com)
X-ZM-MESSAGEID: 1626037892904100001

From: Joanne Koong <joannekoong@gmail.com>

The default SD/MMC host controller uses SD spec v2.00. 64-bit system bus ca=
pability
was added in v2.

In this change, we arrive at 0x157834b4 by computing (0x057834b4 | (1ul << =
28))
where 28 represents the BUS64BIT SDHC_CAPAB field.

Signed-off-by: Joanne Koong <joannekoong@gmail.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <f4bug@amsat.org>
Message-Id: <20210623185921.24113-1-joannekoong@gmail.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <f4bug@amsat.org>
---
 hw/sd/sdhci-internal.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/sd/sdhci-internal.h b/hw/sd/sdhci-internal.h
index e8c753d6d1e..a76fc704e5e 100644
--- a/hw/sd/sdhci-internal.h
+++ b/hw/sd/sdhci-internal.h
@@ -316,16 +316,16 @@ extern const VMStateDescription sdhci_vmstate;
  * - 3.3v and 1.8v voltages
  * - SDMA/ADMA1/ADMA2
  * - high-speed
+ * - 64-bit system bus
  * max host controller R/W buffers size: 512B
  * max clock frequency for SDclock: 52 MHz
  * timeout clock frequency: 52 MHz
  *
  * does not support:
  * - 3.0v voltage
- * - 64-bit system bus
  * - suspend/resume
  */
-#define SDHC_CAPAB_REG_DEFAULT 0x057834b4
+#define SDHC_CAPAB_REG_DEFAULT 0x157834b4
=20
 #define DEFINE_SDHCI_COMMON_PROPERTIES(_state) \
     DEFINE_PROP_UINT8("sd-spec-version", _state, sd_spec_version, 2), \
--=20
2.31.1