From nobody Fri May 10 01:49:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.128.47 as permitted sender) client-ip=209.85.128.47; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-f47.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.47 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1627948533; cv=none; d=zohomail.com; s=zohoarc; b=oHJK6WEQr2GDGgLJKtxiN0wNYgCK+dq0cgKPok03KlN0EJjI4ILhbsdMqb2gwp2697qw58NO6gouKVP2wX7odbiOcN4Iedky+Rd2xziboTFLBAX1gh/qR+IoXyS0cEYCitH/1kFMY3XaZ91szB+UwRT74b1Rjho4xzUYWu6nKns= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627948533; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jTJIDkz/opaUmQQtGDLXaqlkz0dDJ080B0GwYCmbDzM=; b=UFFSZ4PTbVsQpNZ5pCXsSIZw1MJ+vi04aKZuJcR1cJv1HF+EQzAv+ZGx0zq/HzlCGhpfPmpOe5EGNYVKreYF36r4//QxD1mdJ/r43yHV5Q6WV9aG8mUdXnId9Yp13yDsHG5n4g1Q81riL+6RkOzE2HPNPhU1gQ3OR+nQQ9rtBEw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.47 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.zohomail.com with SMTPS id 1627948533279864.6566298505451; Mon, 2 Aug 2021 16:55:33 -0700 (PDT) Received: by mail-wm1-f47.google.com with SMTP id o7-20020a05600c5107b0290257f956e02dso541267wms.1 for ; Mon, 02 Aug 2021 16:55:32 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.redhat.com (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id j5sm12539632wrs.22.2021.08.02.16.55.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 16:55:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=jTJIDkz/opaUmQQtGDLXaqlkz0dDJ080B0GwYCmbDzM=; b=Nstsr3TgYqueMD3Jt8vBFuCUDc9PRuA2kWGeJjCX6LJTbyRJ/Q3WdtIxJY32LzsA+u 4p8jqAYqVNHgGIAh4P+XUcXyp9wq//4u/k/p43011UggTiet1ny3n4aEzQKc8+Uyspt1 5UY0zo/O+tACUu5lapM/LohNcyR4s8P6ygNbiZ+XFtC7WLDJuL2JtmnNDvFtEpa9cgkl ppdvFI1XRyw2LmXpmYU/jmAM4bC0GMVDAISjf8AsYsji2tUMbz4vQ5fY18fi8Fbz2ueE Zcw9BWjM6LAIeWu9tDv7Nb3USNHrnqC8qABk/DZclcvGYmeRObTrlREDLyz3TZjPTXYK J9wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=jTJIDkz/opaUmQQtGDLXaqlkz0dDJ080B0GwYCmbDzM=; b=hk4OisEnlcc4mOJs/Sb0ya8qOltuDBA5eDFsKy5kHWarlRMjtJUehw9ln8F/SjIHD5 kiw+sPzdfI1vXAINximXteMf2GW1SJoRGwofb728Awya3K2GJjyiFDDS2Be4UY1daRcs z6nWflBYoaYLuP8YhpED/dW/FzWtqikHPeUQjzRqW60OavJyXN0obAnYtEPAxMPipvmE jshhq3bZXkrRK/dLuvrtlSrDhVRD3ri85bRPaBGgxjeI5uMrOYEPNgVWJixKvs+8/Ysp 0Hbxql+AbpPEAYN6VBKI6nT2HcSlH9Si3CHPPSinIJS1LjUU0Gj3e7v66HtzAbca2Zij +Drg== X-Gm-Message-State: AOAM531yQUqAbk4kYPex9zo32QPjedtsfl6KMC9bgbBlISw6TOCjs8BW J6cXEwPEgY8AGW7cfndfS8s= X-Google-Smtp-Source: ABdhPJxB0A47VCOnpiYKeLwvuR/WfjftpC6MRiK+x/6P7kuPVEHI7Yn14/+ukSxlJlC5vVoXeTF/9w== X-Received: by 2002:a1c:95:: with SMTP id 143mr15891213wma.29.1627948531501; Mon, 02 Aug 2021 16:55:31 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: qemu-arm@nongnu.org, Bin Meng , Peter Maydell , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , qemu-block@nongnu.org Subject: [PATCH-for-6.1 v2 1/2] hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT Date: Tue, 3 Aug 2021 01:55:23 +0200 Message-Id: <20210802235524.3417739-2-f4bug@amsat.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210802235524.3417739-1-f4bug@amsat.org> References: <20210802235524.3417739-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1627948535890100001 Per the 'Physical Layer Simplified Specification Version 3.01', Table 4-22: 'Block Oriented Write Protection Commands' SEND_WRITE_PROT (CMD30) If the card provides write protection features, this command asks the card to send the status of the write protection bits [1]. [1] 32 write protection bits (representing 32 write protect groups starting at the specified address) [...] The last (least significant) bit of the protection bits corresponds to the first addressed group. If the addresses of the last groups are outside the valid range, then the corresponding write protection bits shall be set to 0. Split the if() statement (without changing the behaviour of the code) to better position the description comment. Reviewed-by: Alexander Bulekov Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Peter Maydell Tested-by: Alexander Bulekov --- hw/sd/sd.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 1f964e022b1..707dcc12a14 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -822,7 +822,14 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr) =20 for (i =3D 0; i < 32; i++, wpnum++, addr +=3D WPGROUP_SIZE) { assert(wpnum < sd->wpgrps_size); - if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) { + if (addr >=3D sd->size) { + /* + * If the addresses of the last groups are outside the valid r= ange, + * then the corresponding write protection bits shall be set t= o 0. + */ + continue; + } + if (test_bit(wpnum, sd->wp_groups)) { ret |=3D (1 << i); } } --=20 2.31.1 From nobody Fri May 10 01:49:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.221.49 as permitted sender) client-ip=209.85.221.49; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f49.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.49 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1627948538; cv=none; d=zohomail.com; s=zohoarc; b=U7mTGdlaAN6NvHFKxCrML0f0TQaFgSVf5+wjoz2lEad86GcHqXxK09/vAOT0sdqHsh0e/t/3gVWbmohyEBEVhwX0GuvSlUI61T+WJ5h6Bkm26hngnJZ195dT1lRAD1XO+6XPB1fnRnBkSFzHhIUuBcPL7x3lfjfSMIxIlJIfPiw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627948538; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=IHhiZNhZNmAfRJfrtAWmERnH7QbT6RBXqi9i7pYVmMU=; b=Gn81AY/WY8m1sRdRXRCENT/GfbToZk0IfAUuvBHpfMQXAaVqPUX2TSUZrq4awnuhd+YVeRBKhY/py9smJ8a07x8JCDgbkyvOdxL5oGm6ztWW3zidWeB3Ie6aqlAJWc+LXP+CUF4nwVEj2/O4l3pCSXFIEYNW/5IhK0TEpHi1Mhk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.49 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.zohomail.com with SMTPS id 1627948538173169.63588606652297; Mon, 2 Aug 2021 16:55:38 -0700 (PDT) Received: by mail-wr1-f49.google.com with SMTP id k4so12497580wrc.0 for ; Mon, 02 Aug 2021 16:55:37 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.redhat.com (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id t8sm13256649wmj.5.2021.08.02.16.55.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 16:55:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=IHhiZNhZNmAfRJfrtAWmERnH7QbT6RBXqi9i7pYVmMU=; b=STW1FJ6zCvw6vfK/VnembOI87sgELXUU1LmX+85EbpCOfyhqA4MEOj7T5ssSn33HLr s/DNF8aRb7xerqYVgXJt0J/guRnsUYnsGlr24t8B7X7aSqVdLW58fivthkV1AJYphpa/ aaXIiQwLM3174hKuJi0wGGTnwYT7HrwbV/euc5hjrvdwSOQaqzGU8eKgpOpaHLmtY0AK hGNY1E/IFq/07ymXrNiaRqzLLhLl7oWsjVfdmlYOEfn1H1VSTkMOzQV1+XUd8Jnow8lb 44RLG8B4LJXmPhh5ClFsCg/c8I64D2W8jsLXLP/0vYwm2GreF3fguEWXalpsFq0qV125 0STQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=IHhiZNhZNmAfRJfrtAWmERnH7QbT6RBXqi9i7pYVmMU=; b=iWi6g572DSIT0QNvtXx1uvH5upNQ5PPFn2KkQ1oPfCIQMIP+Ndn0bBWq61TutynRQ3 R5ZMJuQ5FINhsI24xOyPI8uQNmy+6Jmm1wcMnxI1edf3gidA2AMJFI0ScwBaIyTmEfgJ JAvHG1V+XZZ8VX97OVhJFBu2mw4dc2cTG7xqiG8g3bhWM5hDxYf5EpbmxCqkALu/fsVn ILnjbTOfNB93eCpY0gDfkgDJnSTs8pPpy+crAvxyctEEX4LgL2yCdwBCzaODoUVNHilK rGsK1NhSOoUwrzU51+SrqLqh18aE285GDGfWZfL8YdEayNl/SduR38ZY6OQ/a8ujcZ2W bu0Q== X-Gm-Message-State: AOAM531FDcuDirzwrQGBqoEJ8wZoxx+T3+kJJ26rznJfX7L8f+ucgt74 lpfCQZb4RDVipWU5nmZy5tQ= X-Google-Smtp-Source: ABdhPJwzr73m8yw29MRq1gbkdhsH5OIT5ZI8rPd8jDjnnH9ajfPlx1HZkGii5oJab63y+iYFvIu5XQ== X-Received: by 2002:a05:6000:186f:: with SMTP id d15mr8156725wri.89.1627948536416; Mon, 02 Aug 2021 16:55:36 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: qemu-arm@nongnu.org, Bin Meng , Peter Maydell , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , qemu-block@nongnu.org, qemu-stable@nongnu.org Subject: [PATCH-for-6.1 v2 2/2] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30 Date: Tue, 3 Aug 2021 01:55:24 +0200 Message-Id: <20210802235524.3417739-3-f4bug@amsat.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210802235524.3417739-1-f4bug@amsat.org> References: <20210802235524.3417739-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1627948539710100001 OSS-Fuzz found sending illegal addresses when querying the write protection bits triggers the assertion added in commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group"): qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t = sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed. #3 0x7f62a8b22c91 in __assert_fail #4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9 #5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38 #6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17 #7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16 #8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12 #9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9 #10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5 It is legal for the CMD30 to query for out-of-range addresses. Such invalid addresses are simply ignored in the response (write protection bits set to 0). In commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group") we misplaced the assertion *before* we test the address is in range. Move it *after*. Include the qtest reproducer provided by Alexander Bulekov: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wp= grps_size' failed. Cc: qemu-stable@nongnu.org Reported-by: OSS-Fuzz (Issue 29225) Suggested-by: Peter Maydell Fixes: 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495 Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Peter Maydell Tested-by: Alexander Bulekov --- hw/sd/sd.c | 2 +- tests/qtest/fuzz-sdcard-test.c | 36 ++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 707dcc12a14..bb5dbff68c0 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -821,7 +821,6 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr) wpnum =3D sd_addr_to_wpnum(addr); =20 for (i =3D 0; i < 32; i++, wpnum++, addr +=3D WPGROUP_SIZE) { - assert(wpnum < sd->wpgrps_size); if (addr >=3D sd->size) { /* * If the addresses of the last groups are outside the valid r= ange, @@ -829,6 +828,7 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr) */ continue; } + assert(wpnum < sd->wpgrps_size); if (test_bit(wpnum, sd->wp_groups)) { ret |=3D (1 << i); } diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c index 96602eac7e5..ae14305344a 100644 --- a/tests/qtest/fuzz-sdcard-test.c +++ b/tests/qtest/fuzz-sdcard-test.c @@ -52,6 +52,41 @@ static void oss_fuzz_29225(void) qtest_quit(s); } =20 +/* + * https://gitlab.com/qemu-project/qemu/-/issues/495 + * Used to trigger: + * Assertion `wpnum < sd->wpgrps_size' failed. + */ +static void oss_fuzz_36217(void) +{ + QTestState *s; + + s =3D qtest_init(" -display none -m 32 -nodefaults -nographic" + " -device sdhci-pci,sd-spec-version=3D3 " + "-device sd-card,drive=3Dd0 " + "-drive if=3Dnone,index=3D0,file=3Dnull-co://,format=3D= raw,id=3Dd0"); + + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xe0000000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x02); + qtest_bufwrite(s, 0xe000002c, "\x05", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x37", 0x1); + qtest_bufwrite(s, 0xe000000a, "\x01", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x29", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x02", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x03", 0x1); + qtest_bufwrite(s, 0xe0000005, "\x01", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x06", 0x1); + qtest_bufwrite(s, 0xe000000c, "\x05", 0x1); + qtest_bufwrite(s, 0xe000000e, "\x20", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x08", 0x1); + qtest_bufwrite(s, 0xe000000b, "\x3d", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x1e", 0x1); + + qtest_quit(s); +} + int main(int argc, char **argv) { const char *arch =3D qtest_get_arch(); @@ -60,6 +95,7 @@ int main(int argc, char **argv) =20 if (strcmp(arch, "i386") =3D=3D 0) { qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225); + qtest_add_func("fuzz/sdcard/oss_fuzz_36217", oss_fuzz_36217); } =20 return g_test_run(); --=20 2.31.1