From nobody Tue Feb 10 03:40:12 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.128.53 as permitted sender) client-ip=209.85.128.53; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-f53.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.53 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1626037880; cv=none; d=zohomail.com; s=zohoarc; b=DJpUwpggBBs0Oj33X9uRY7VlTB3iVXyP3x+9c/i3q7dQkNeS4oUchRE1mhE0GOfrlmVygqr1yTvISaWXkEd38TqzVTzcKp1ZxBsgyj6Q2I67C3RHA5Ol92g/Ana3+P3cTc2SMLMPHd+RHRx+sB7lgpBpheZ/NpGAjZR42ejS0RY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626037880; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=XI/+RLNcOZRL3x9ImO4jyG/hJF8EqE05K9qsRROWbv8=; b=ES0cN3avfTx0kziWrnnd75UsrIh/bGSaPWKYt1SnTFiKPxy9S06erV1oFfyIkYAwSsSofUf0k+jlmTL6N4not1GfYtTfEfD0JZqXII2DEOT8AJUW97p0ScK1262i7wkENeQD1NqX2N4uF/DBIsccbBozhPRkI+euYIBwNhWryOM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.53 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.zohomail.com with SMTPS id 1626037880533917.3846875112584; Sun, 11 Jul 2021 14:11:20 -0700 (PDT) Received: by mail-wm1-f53.google.com with SMTP id g12so2140806wme.2 for ; Sun, 11 Jul 2021 14:11:19 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (abayonne-654-1-142-116.w86-222.abo.wanadoo.fr. [86.222.93.116]) by smtp.gmail.com with ESMTPSA id j10sm12080523wrt.35.2021.07.11.14.11.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Jul 2021 14:11:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=XI/+RLNcOZRL3x9ImO4jyG/hJF8EqE05K9qsRROWbv8=; b=a2ZcGy3j1BlVyykZaA8ubL8iGR3DGuvqa+1MV3KO70cT06t+u+jol/CmMwBIQeevp1 7HqaqVpCm94anwkRrbf0An7VCwaK3gZFB/IPZZSpS2ze4A0lq5kv1qOey7GaR3i+JlVn At9RmltowyGCKVf8cYBjelUSmI5Wf68nm3IokkiE0qNgVHMEmg0GKl60MM7F/2FyCepM kPKxaU3EJ5wEYsUhJicycN1rfu2lwG0zix+PkAABiEfCQpIQyAXi/hIU4O9QXM2OVXq2 OEFkP1vkTw5KRWD4Um/gn4pGH2A94iF3D8nYljWfm+jZFnNuTbZGmnrjXI2AYynbJgsY AXnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=XI/+RLNcOZRL3x9ImO4jyG/hJF8EqE05K9qsRROWbv8=; b=P+Ih/A1S98ZmbapzoI8Zjb6ZSOBzA9L98dIF6RX1vzj7KfJZay7oZ3l+JiDg+wyccG u8KRFDY3NDCnt7vO8KH/0YVUxzvMMZ70tGVm5f7y6aPJQoSnVqhMyBbPtz9rPH3yD449 yXTyUHmfscxQ+9HyPGEIoSYCNyCxdtsBRY7yRIV6dnP0yLPyaIYphEQGE2xFsyhXYG8W u4HAfK5Wc2GbPZTlPibmFeibENK57uFDPuYF6EFSYsj4Heyb5WeEIHEMPgBF8g2S4ZrA PZg+XJrlGZovG4DB22HkLM992IkOC3tOfRU7XpkqgdiSwGFQm9LEm8lpPVH9LK/D3z0b liHg== X-Gm-Message-State: AOAM532VceSMvC8KTEnwBFlbrxZANKDNv7aB/zLfU8J8Huix0AxTdK6l i9KuBuSslXbFxMmvNz4XRWw= X-Google-Smtp-Source: ABdhPJyYUHp92bNkOGe3HrpRtxW4ll2j6PCGfylNMnrGzgyxiAC0KGX1ch61BYSLe5f9+cDrkk349Q== X-Received: by 2002:a7b:c113:: with SMTP id w19mr10910006wmi.44.1626037878792; Sun, 11 Jul 2021 14:11:18 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Bin Meng , Alexander Bulekov , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Bin Meng Subject: [PULL 2/4] hw/sd/sdcard: Extract address_in_range() helper, log invalid accesses Date: Sun, 11 Jul 2021 23:10:55 +0200 Message-Id: <20210711211057.2714586-3-f4bug@amsat.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210711211057.2714586-1-f4bug@amsat.org> References: <20210711211057.2714586-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1626037882584100001 Multiple commands have to check the address requested is valid. Extract this code pattern as a new address_in_range() helper, and log invalid accesses as guest errors. Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Bin Meng Message-Id: <20210624142209.1193073-3-f4bug@amsat.org> --- hw/sd/sd.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index d8fdf84f4db..9c8dd11bad1 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -937,6 +937,18 @@ static void sd_lock_command(SDState *sd) sd->card_status &=3D ~CARD_IS_LOCKED; } =20 +static bool address_in_range(SDState *sd, const char *desc, + uint64_t addr, uint32_t length) +{ + if (addr + length > sd->size) { + qemu_log_mask(LOG_GUEST_ERROR, "%s offset %lu > card %lu [%%%u]\n", + desc, addr, sd->size, length); + sd->card_status |=3D ADDRESS_ERROR; + return false; + } + return true; +} + static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) { uint32_t rca =3D 0x0000; @@ -1218,8 +1230,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S= DRequest req) switch (sd->state) { case sd_transfer_state: =20 - if (addr + sd->blk_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) { return sd_r1; } =20 @@ -1264,8 +1275,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S= DRequest req) switch (sd->state) { case sd_transfer_state: =20 - if (addr + sd->blk_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) { return sd_r1; } =20 @@ -1325,8 +1335,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S= DRequest req) =20 switch (sd->state) { case sd_transfer_state: - if (addr >=3D sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) { return sd_r1b; } =20 @@ -1348,8 +1357,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, S= DRequest req) =20 switch (sd->state) { case sd_transfer_state: - if (addr >=3D sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) { return sd_r1b; } =20 @@ -1826,8 +1834,8 @@ void sd_write_byte(SDState *sd, uint8_t value) case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ if (sd->data_offset =3D=3D 0) { /* Start of the block - let's check the address is valid */ - if (sd->data_start + sd->blk_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK", + sd->data_start, sd->blk_len)) { break; } if (sd->size <=3D SDSC_MAX_CAPACITY) { @@ -1999,8 +2007,8 @@ uint8_t sd_read_byte(SDState *sd) =20 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ if (sd->data_offset =3D=3D 0) { - if (sd->data_start + io_len > sd->size) { - sd->card_status |=3D ADDRESS_ERROR; + if (!address_in_range(sd, "READ_MULTIPLE_BLOCK", + sd->data_start, io_len)) { return 0x00; } BLK_READ_BLOCK(sd->data_start, io_len); --=20 2.31.1