From nobody Sun Feb 8 15:25:35 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1647882657429917.1949632405309; Mon, 21 Mar 2022 10:10:57 -0700 (PDT) Received: from localhost ([::1]:60708 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWLYW-0002H1-9P for importer@patchew.org; Mon, 21 Mar 2022 13:10:56 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42254) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRQ-0001dM-7c for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:36 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:46880) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRO-00056K-2j for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:35 -0400 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-306-7ezDjXGcMeeo7NKKC17ViQ-1; Mon, 21 Mar 2022 13:03:27 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CEDDB3C174C3; Mon, 21 Mar 2022 17:03:26 +0000 (UTC) Received: from thuth.com (unknown [10.39.195.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2647040D2822; Mon, 21 Mar 2022 17:03:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647882210; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=J95rbpkj87CAW3W15/KRRo91TCCezonRv7pSULKlia8=; b=OwyEMjXYObIGUjptFgyDjtcmWrKN8bWtj3htjFgB7bElNWmAkRxpHY3Iu2V4x8DjTUSZXZ El9RfRV1Nl8BdU6mp0ttiOdLgL2MdVmVD35hUIXfdbTLAX1qTwe375sF0CdT23Gt7xtkV6 TY1sE9TGlXiAIIsaxtiTfxCPeZKZb+8= X-MC-Unique: 7ezDjXGcMeeo7NKKC17ViQ-1 From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell Subject: [PULL 1/8] softmmu/physmem: Simplify flatview_write and address_space_access_valid Date: Mon, 21 Mar 2022 18:03:13 +0100 Message-Id: <20220321170320.282496-2-thuth@redhat.com> In-Reply-To: <20220321170320.282496-1-thuth@redhat.com> References: <20220321170320.282496-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=thuth@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-block@nongnu.org, Bin Meng , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , Gerd Hoffmann , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1647882659749100003 From: Philippe Mathieu-Daud=C3=A9 Remove unuseful local 'result' variables. Reviewed-by: Peter Xu Reviewed-by: David Hildenbrand Reviewed-by: Alexander Bulekov Reviewed-by: Stefan Hajnoczi Signed-off-by: Philippe Mathieu-Daud=C3=A9 Message-Id: <20211215182421.418374-3-philmd@redhat.com> Signed-off-by: Thomas Huth --- softmmu/physmem.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/softmmu/physmem.c b/softmmu/physmem.c index 43ae70fbe2..3d968ca92f 100644 --- a/softmmu/physmem.c +++ b/softmmu/physmem.c @@ -2816,14 +2816,11 @@ static MemTxResult flatview_write(FlatView *fv, hwa= ddr addr, MemTxAttrs attrs, hwaddr l; hwaddr addr1; MemoryRegion *mr; - MemTxResult result =3D MEMTX_OK; =20 l =3D len; mr =3D flatview_translate(fv, addr, &addr1, &l, true, attrs); - result =3D flatview_write_continue(fv, addr, attrs, buf, len, - addr1, l, mr); - - return result; + return flatview_write_continue(fv, addr, attrs, buf, len, + addr1, l, mr); } =20 /* Called within RCU critical section. */ @@ -3139,12 +3136,10 @@ bool address_space_access_valid(AddressSpace *as, h= waddr addr, MemTxAttrs attrs) { FlatView *fv; - bool result; =20 RCU_READ_LOCK_GUARD(); fv =3D address_space_to_flatview(as); - result =3D flatview_access_valid(fv, addr, len, is_write, attrs); - return result; + return flatview_access_valid(fv, addr, len, is_write, attrs); } =20 static hwaddr --=20 2.27.0 From nobody Sun Feb 8 15:25:35 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1647882464720392.321020757798; Mon, 21 Mar 2022 10:07:44 -0700 (PDT) Received: from localhost ([::1]:53174 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWLVR-0005bk-BB for importer@patchew.org; Mon, 21 Mar 2022 13:07:45 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42300) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRR-0001et-7J for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:37 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:60483) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRO-00056Z-53 for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:36 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-403-Cm3cAreyOXmEgE4BGs4hvg-1; Mon, 21 Mar 2022 13:03:29 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1F4B7802C16; Mon, 21 Mar 2022 17:03:29 +0000 (UTC) Received: from thuth.com (unknown [10.39.195.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2035E40D2821; Mon, 21 Mar 2022 17:03:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647882212; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KIBRlGQxSXS9XF5RRmjYDMe1486AbNnuC1Dog5NgKlU=; b=dprMsAsoT/B3RmDiWVANrXsp9noXIxOnSfOQbru416ShMz7G0MSohz3sKzmYPYGK7aibCv jFSTa3+ox/JDMPkkExdU8Q+NNlnZNvNxdPVK4HgN8y9A0lgqoX9RYdRIITFQccjmyPzWhi adYEwMPZKJ4CheOrM8JF23cefSYvqk4= X-MC-Unique: Cm3cAreyOXmEgE4BGs4hvg-1 From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell Subject: [PULL 2/8] softmmu/physmem: Introduce MemTxAttrs::memory field and MEMTX_ACCESS_ERROR Date: Mon, 21 Mar 2022 18:03:14 +0100 Message-Id: <20220321170320.282496-3-thuth@redhat.com> In-Reply-To: <20220321170320.282496-1-thuth@redhat.com> References: <20220321170320.282496-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=thuth@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-block@nongnu.org, Bin Meng , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , Gerd Hoffmann , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1647882467842100007 From: Philippe Mathieu-Daud=C3=A9 Add the 'memory' bit to the memory attributes to restrict bus controller accesses to memories. Introduce flatview_access_allowed() to check bus permission before running any bus transaction. Have read/write accessors return MEMTX_ACCESS_ERROR if an access is restricted. There is no change for the default case where 'memory' is not set. Signed-off-by: Philippe Mathieu-Daud=C3=A9 Message-Id: <20211215182421.418374-4-philmd@redhat.com> Reviewed-by: Richard Henderson Reviewed-by: Stefan Hajnoczi [thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"] Signed-off-by: Thomas Huth --- include/exec/memattrs.h | 9 +++++++++ softmmu/physmem.c | 44 +++++++++++++++++++++++++++++++++++++++-- 2 files changed, 51 insertions(+), 2 deletions(-) diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h index 95f2d20d55..9fb98bc1ef 100644 --- a/include/exec/memattrs.h +++ b/include/exec/memattrs.h @@ -35,6 +35,14 @@ typedef struct MemTxAttrs { unsigned int secure:1; /* Memory access is usermode (unprivileged) */ unsigned int user:1; + /* + * Bus interconnect and peripherals can access anything (memories, + * devices) by default. By setting the 'memory' bit, bus transaction + * are restricted to "normal" memories (per the AMBA documentation) + * versus devices. Access to devices will be logged and rejected + * (see MEMTX_ACCESS_ERROR). + */ + unsigned int memory:1; /* Requester ID (for MSI for example) */ unsigned int requester_id:16; /* Invert endianness for this page */ @@ -66,6 +74,7 @@ typedef struct MemTxAttrs { #define MEMTX_OK 0 #define MEMTX_ERROR (1U << 0) /* device returned an error */ #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */ +#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */ typedef uint32_t MemTxResult; =20 #endif diff --git a/softmmu/physmem.c b/softmmu/physmem.c index 3d968ca92f..4e1b27a20e 100644 --- a/softmmu/physmem.c +++ b/softmmu/physmem.c @@ -42,6 +42,7 @@ #include "qemu/config-file.h" #include "qemu/error-report.h" #include "qemu/qemu-print.h" +#include "qemu/log.h" #include "qemu/memalign.h" #include "exec/memory.h" #include "exec/ioport.h" @@ -2760,6 +2761,33 @@ static bool prepare_mmio_access(MemoryRegion *mr) return release_lock; } =20 +/** + * flatview_access_allowed + * @mr: #MemoryRegion to be accessed + * @attrs: memory transaction attributes + * @addr: address within that memory region + * @len: the number of bytes to access + * + * Check if a memory transaction is allowed. + * + * Returns: true if transaction is allowed, false if denied. + */ +static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs, + hwaddr addr, hwaddr len) +{ + if (likely(!attrs.memory)) { + return true; + } + if (memory_region_is_ram(mr)) { + return true; + } + qemu_log_mask(LOG_GUEST_ERROR, + "Invalid access to non-RAM device at " + "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", " + "region '%s'\n", addr, len, memory_region_name(mr)); + return false; +} + /* Called within RCU critical section. */ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, MemTxAttrs attrs, @@ -2774,7 +2802,10 @@ static MemTxResult flatview_write_continue(FlatView = *fv, hwaddr addr, const uint8_t *buf =3D ptr; =20 for (;;) { - if (!memory_access_is_direct(mr, true)) { + if (!flatview_access_allowed(mr, attrs, addr1, l)) { + result |=3D MEMTX_ACCESS_ERROR; + /* Keep going. */ + } else if (!memory_access_is_direct(mr, true)) { release_lock |=3D prepare_mmio_access(mr); l =3D memory_access_size(mr, l, addr1); /* XXX: could force current_cpu to NULL to avoid @@ -2819,6 +2850,9 @@ static MemTxResult flatview_write(FlatView *fv, hwadd= r addr, MemTxAttrs attrs, =20 l =3D len; mr =3D flatview_translate(fv, addr, &addr1, &l, true, attrs); + if (!flatview_access_allowed(mr, attrs, addr, len)) { + return MEMTX_ACCESS_ERROR; + } return flatview_write_continue(fv, addr, attrs, buf, len, addr1, l, mr); } @@ -2837,7 +2871,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwa= ddr addr, =20 fuzz_dma_read_cb(addr, len, mr); for (;;) { - if (!memory_access_is_direct(mr, false)) { + if (!flatview_access_allowed(mr, attrs, addr1, l)) { + result |=3D MEMTX_ACCESS_ERROR; + /* Keep going. */ + } else if (!memory_access_is_direct(mr, false)) { /* I/O case */ release_lock |=3D prepare_mmio_access(mr); l =3D memory_access_size(mr, l, addr1); @@ -2880,6 +2917,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr= addr, =20 l =3D len; mr =3D flatview_translate(fv, addr, &addr1, &l, false, attrs); + if (!flatview_access_allowed(mr, attrs, addr, len)) { + return MEMTX_ACCESS_ERROR; + } return flatview_read_continue(fv, addr, attrs, buf, len, addr1, l, mr); } --=20 2.27.0 From nobody Sun Feb 8 15:25:35 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1647882433925258.5321617970927; Mon, 21 Mar 2022 10:07:13 -0700 (PDT) Received: from localhost ([::1]:51706 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWLUv-0004cj-Qe for importer@patchew.org; Mon, 21 Mar 2022 13:07:13 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42306) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRR-0001fx-JA for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:37 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:60057) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRP-000577-Vj for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:37 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-456-n6I9OUvcOHqwH3bnRMEiwg-1; Mon, 21 Mar 2022 13:03:32 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A447F899EC2; Mon, 21 Mar 2022 17:03:31 +0000 (UTC) Received: from thuth.com (unknown [10.39.195.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id B00AC40D2821; Mon, 21 Mar 2022 17:03:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647882215; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MDWxGrKktgNZQCh7l/xgAvK/yCM6gzCkGFWydMGt6mY=; b=fiYIEy9r2Ug38tb1/61lW/Pz9Qs1fyBabIOO9ZkdflB1Dq0fU5ZpLahY3TUUQZgFcvDIQv LGOR6j1XFpPEgeEUmzNeY9hpMVJ7hAT5CsoypvrZY2WizjnXgWUj/PFvirRetYIoH7TKSz A/HakPcAP0/MwKm6pGjF7CGbzth19uk= X-MC-Unique: n6I9OUvcOHqwH3bnRMEiwg-1 From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell Subject: [PULL 3/8] hw/audio/intel-hda: Do not ignore DMA overrun errors Date: Mon, 21 Mar 2022 18:03:15 +0100 Message-Id: <20220321170320.282496-4-thuth@redhat.com> In-Reply-To: <20220321170320.282496-1-thuth@redhat.com> References: <20220321170320.282496-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=thuth@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-block@nongnu.org, Bin Meng , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , Gerd Hoffmann , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1647882436487100001 From: Philippe Mathieu-Daud=C3=A9 Per the "High Definition Audio Specification" manual (rev. 1.0a), section "3.3.30 Offset 5Dh: RIRBSTS - RIRB Status": Response Overrun Interrupt Status (RIRBOIS): Hardware sets this bit to a 1 when an overrun occurs in the RIRB. An interrupt may be generated if the Response Overrun Interrupt Control bit is set. This bit will be set if the RIRB DMA engine is not able to write the incoming responses to memory before additional incoming responses overrun the internal FIFO. When hardware detects an overrun, it will drop the responses which overrun the buffer and set the RIRBOIS status bit to indicate the error condition. Optionally, if the RIRBOIC is set, the hardware will also generate an error to alert software to the problem. QEMU emulates the DMA engine with the stl_le_pci_dma() calls. This function returns a MemTxResult indicating whether the DMA access was successful. Handle any MemTxResult error as "DMA engine is not able to write the incoming responses to memory" and raise the Overrun Interrupt flag when this case occurs. Signed-off-by: Philippe Mathieu-Daud=C3=A9 Message-Id: <20211218160912.1591633-2-philmd@redhat.com> Signed-off-by: Thomas Huth --- hw/audio/intel-hda.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c index 5f8a878f20..47a36acc71 100644 --- a/hw/audio/intel-hda.c +++ b/hw/audio/intel-hda.c @@ -350,6 +350,7 @@ static void intel_hda_response(HDACodecDevice *dev, boo= l solicited, uint32_t res IntelHDAState *d =3D container_of(bus, IntelHDAState, codecs); hwaddr addr; uint32_t wp, ex; + MemTxResult res =3D MEMTX_OK; =20 if (d->ics & ICH6_IRS_BUSY) { dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n", @@ -368,8 +369,12 @@ static void intel_hda_response(HDACodecDevice *dev, bo= ol solicited, uint32_t res ex =3D (solicited ? 0 : (1 << 4)) | dev->cad; wp =3D (d->rirb_wp + 1) & 0xff; addr =3D intel_hda_addr(d->rirb_lbase, d->rirb_ubase); - stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); - stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); + res |=3D stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); + res |=3D stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); + if (res !=3D MEMTX_OK && (d->rirb_ctl & ICH6_RBCTL_OVERRUN_EN)) { + d->rirb_sts |=3D ICH6_RBSTS_OVERRUN; + intel_hda_update_irq(d); + } d->rirb_wp =3D wp; =20 dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", --=20 2.27.0 From nobody Sun Feb 8 15:25:35 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1647882674753195.3514637792182; Mon, 21 Mar 2022 10:11:14 -0700 (PDT) Received: from localhost ([::1]:33400 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWLYn-0002tL-PL for importer@patchew.org; Mon, 21 Mar 2022 13:11:13 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42344) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRU-0001kU-Rw for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:44 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:47564) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRT-00057t-4O for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:40 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-510-A0KEfrrbNOqUaq3G_2i9gA-1; Mon, 21 Mar 2022 13:03:35 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A61BC106655B; Mon, 21 Mar 2022 17:03:34 +0000 (UTC) Received: from thuth.com (unknown [10.39.195.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1362F40C1241; Mon, 21 Mar 2022 17:03:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647882218; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NtN/0Vd1s+Zrl8loa/eEgr2gfW6652xNROytJwkZarE=; b=eQLXsRb1Vj0VNogIysMB+nVBy3ZEfdCiJbV+q9bXvZzcLXNlP9LAvps2CeZZ7VQH6fin3u 99UfoHXUVbpl6deCAcPohi2qcZ0vOJsKlnOq8zmLnUXNzhDj2oWsH7iBRlZnSZL00CPtz5 Sm7lLl5os7qwIFK+sTKiQ6Bo9hln/zE= X-MC-Unique: A0KEfrrbNOqUaq3G_2i9gA-1 From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell Subject: [PULL 4/8] hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO devices) Date: Mon, 21 Mar 2022 18:03:16 +0100 Message-Id: <20220321170320.282496-5-thuth@redhat.com> In-Reply-To: <20220321170320.282496-1-thuth@redhat.com> References: <20220321170320.282496-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=thuth@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-block@nongnu.org, Bin Meng , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , Gerd Hoffmann , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1647882675926100001 From: Philippe Mathieu-Daud=C3=A9 Issue #542 reports a reentrancy problem when the DMA engine accesses the HDA controller I/O registers. Fix by restricting the DMA engine to memories regions (forbidding MMIO devices such the HDA controller). Reported-by: OSS-Fuzz (Issue 28435) Reported-by: Alexander Bulekov Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Thomas Huth Resolves: https://gitlab.com/qemu-project/qemu/-/issues/542 CVE: CVE-2021-3611 Message-Id: <20211218160912.1591633-3-philmd@redhat.com> Signed-off-by: Thomas Huth --- hw/audio/intel-hda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c index 47a36acc71..78a47bc08c 100644 --- a/hw/audio/intel-hda.c +++ b/hw/audio/intel-hda.c @@ -345,7 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d) =20 static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32= _t response) { - const MemTxAttrs attrs =3D MEMTXATTRS_UNSPECIFIED; + const MemTxAttrs attrs =3D { .memory =3D true }; HDACodecBus *bus =3D HDA_BUS(dev->qdev.parent_bus); IntelHDAState *d =3D container_of(bus, IntelHDAState, codecs); hwaddr addr; --=20 2.27.0 From nobody Sun Feb 8 15:25:35 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1647882821608120.14439499985644; Mon, 21 Mar 2022 10:13:41 -0700 (PDT) Received: from localhost ([::1]:41154 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWLbC-0008Cb-8l for importer@patchew.org; Mon, 21 Mar 2022 13:13:42 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42390) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRa-0001nS-OX for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:47 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:22526) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRY-00058X-TZ for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:46 -0400 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-528-0ifbJ3zdPL-d5r42LePfVg-1; Mon, 21 Mar 2022 13:03:37 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1CD79296A63E; Mon, 21 Mar 2022 17:03:37 +0000 (UTC) Received: from thuth.com (unknown [10.39.195.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id EADF340D2821; Mon, 21 Mar 2022 17:03:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647882221; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fbzD8tD3uphUN1fOsll9ry9AyH/+AjFbtlUcJFEKjkc=; b=F5ayvcaYZCfagt7+irh8SR8zbKUiQ5X8TPTBhoa9gjnL3nmpY/tcDGhaDhXMNOF5czA38F P5OehLoDDR7aUPoU8KtRCP0qxTkSKKo+8UsiUquC7jknBXhjIkkrCfe4qBZltUFh5Nxp/E GMMMZzFSfC1eVOfdUzaO5mspL3JOkNk= X-MC-Unique: 0ifbJ3zdPL-d5r42LePfVg-1 From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell Subject: [PULL 5/8] tests/qtest/intel-hda-test: Add reproducer for issue #542 Date: Mon, 21 Mar 2022 18:03:17 +0100 Message-Id: <20220321170320.282496-6-thuth@redhat.com> In-Reply-To: <20220321170320.282496-1-thuth@redhat.com> References: <20220321170320.282496-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=thuth@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-block@nongnu.org, Bin Meng , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , Gerd Hoffmann , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1647882829933100003 From: Philippe Mathieu-Daud=C3=A9 Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/542. Without the previous commit, we get: $ make check-qtest-i386 ... Running test tests/qtest/intel-hda-test AddressSanitizer:DEADLYSIGNAL =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D1580408=3D=3DERROR: AddressSanitizer: stack-overflow on address 0x7= ffc3d566fe0 #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:3= 56 #1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15 #2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15 #3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10 #4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 #9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 #10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 #11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 #12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 #13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 #14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 #15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 #16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 #17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 #18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 #19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 #20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 #21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:= 16 #22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 #23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 #24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 #29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 #30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 #31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 #32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 #33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 #34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 #35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 #36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 #37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 #38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 #39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 #40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 #41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:= 16 #42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 #43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 #44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 ... SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in addres= s_space_translate_internal =3D=3D1580408=3D=3DABORTING Broken pipe Aborted (core dumped) Signed-off-by: Philippe Mathieu-Daud=C3=A9 Acked-by: Thomas Huth Message-Id: <20211218160912.1591633-4-philmd@redhat.com> Signed-off-by: Thomas Huth --- tests/qtest/intel-hda-test.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tests/qtest/intel-hda-test.c b/tests/qtest/intel-hda-test.c index fc25ccc33c..a58c98e4d1 100644 --- a/tests/qtest/intel-hda-test.c +++ b/tests/qtest/intel-hda-test.c @@ -29,11 +29,45 @@ static void ich9_test(void) qtest_end(); } =20 +/* + * https://gitlab.com/qemu-project/qemu/-/issues/542 + * Used to trigger: + * AddressSanitizer: stack-overflow + */ +static void test_issue542_ich6(void) +{ + QTestState *s; + + s =3D qtest_init("-nographic -nodefaults -M pc-q35-6.2 " + "-device intel-hda,id=3D" HDA_ID CODEC_DEVICES); + + qtest_outl(s, 0xcf8, 0x80000804); + qtest_outw(s, 0xcfc, 0x06); + qtest_bufwrite(s, 0xff0d060f, "\x03", 1); + qtest_bufwrite(s, 0x0, "\x12", 1); + qtest_bufwrite(s, 0x2, "\x2a", 1); + qtest_writeb(s, 0x0, 0x12); + qtest_writeb(s, 0x2, 0x2a); + qtest_outl(s, 0xcf8, 0x80000811); + qtest_outl(s, 0xcfc, 0x006a4400); + qtest_bufwrite(s, 0x6a44005a, "\x01", 1); + qtest_bufwrite(s, 0x6a44005c, "\x02", 1); + qtest_bufwrite(s, 0x6a442050, "\x00\x00\x44\x6a", 4); + qtest_bufwrite(s, 0x6a44204a, "\x01", 1); + qtest_bufwrite(s, 0x6a44204c, "\x02", 1); + qtest_bufwrite(s, 0x6a44005c, "\x02", 1); + qtest_bufwrite(s, 0x6a442050, "\x00\x00\x44\x6a", 4); + qtest_bufwrite(s, 0x6a44204a, "\x01", 1); + qtest_bufwrite(s, 0x6a44204c, "\x02", 1); + qtest_quit(s); +} + int main(int argc, char **argv) { g_test_init(&argc, &argv, NULL); qtest_add_func("/intel-hda/ich6", ich6_test); qtest_add_func("/intel-hda/ich9", ich9_test); + qtest_add_func("/intel-hda/fuzz/issue542", test_issue542_ich6); =20 return g_test_run(); } --=20 2.27.0 From nobody Sun Feb 8 15:25:35 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1647882665859235.8515028288449; Mon, 21 Mar 2022 10:11:05 -0700 (PDT) Received: from localhost ([::1]:32882 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWLYg-0002Ye-HL for importer@patchew.org; Mon, 21 Mar 2022 13:11:06 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42422) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRc-0001o5-38 for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:48 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:20716) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRZ-00058e-Bi for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:47 -0400 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-614-v5GTyKIaPR2y5cQPibnbGg-1; Mon, 21 Mar 2022 13:03:41 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1968D1C0B042; Mon, 21 Mar 2022 17:03:40 +0000 (UTC) Received: from thuth.com (unknown [10.39.195.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id AFBCE40D2821; Mon, 21 Mar 2022 17:03:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647882224; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0upps8tY1cLHXMGTy+y9F6CYKBwWu5MFTDgXAhLihq8=; b=ZT0/LwVo2jnQs5DMdbj7fKY2hXSYrUKAphoYEjF2GhyJYFyjUqL4Z82ukvNdc4ggz77bt5 eaCPTsC0B8/hpaQlNMa1wKF0N/+3mO4lUhbJzmuTgKJV4RiOkGXA0CdmZs12z88tyAY0al 7t6N6aq8jlcf6QgQnu8BOiXTMzfoqSA= X-MC-Unique: v5GTyKIaPR2y5cQPibnbGg-1 From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell Subject: [PULL 6/8] hw/sd/sdhci: Honor failed DMA transactions Date: Mon, 21 Mar 2022 18:03:18 +0100 Message-Id: <20220321170320.282496-7-thuth@redhat.com> In-Reply-To: <20220321170320.282496-1-thuth@redhat.com> References: <20220321170320.282496-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=thuth@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-block@nongnu.org, Bin Meng , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , Gerd Hoffmann , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1647882667954100001 From: Philippe Mathieu-Daud=C3=A9 DMA transactions might fail. The DMA API returns a MemTxResult, indicating such failures. Do not ignore it. On failure, raise the ADMA error flag and eventually triggering an IRQ (see spec chapter 1.13.5: "ADMA2 States"). Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Thomas Huth Message-Id: <20211215205656.488940-2-philmd@redhat.com> Signed-off-by: Thomas Huth --- hw/sd/sdhci.c | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index e0bbc90344..fe2f21f0c3 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -742,6 +742,7 @@ static void sdhci_do_adma(SDHCIState *s) unsigned int begin, length; const uint16_t block_size =3D s->blksize & BLOCK_SIZE_MASK; ADMADescr dscr =3D {}; + MemTxResult res; int i; =20 if (s->trnmod & SDHC_TRNS_BLK_CNT_EN && !s->blkcnt) { @@ -790,10 +791,13 @@ static void sdhci_do_adma(SDHCIState *s) s->data_count =3D block_size; length -=3D block_size - begin; } - dma_memory_write(s->dma_as, dscr.addr, - &s->fifo_buffer[begin], - s->data_count - begin, - MEMTXATTRS_UNSPECIFIED); + res =3D dma_memory_write(s->dma_as, dscr.addr, + &s->fifo_buffer[begin], + s->data_count - begin, + MEMTXATTRS_UNSPECIFIED); + if (res !=3D MEMTX_OK) { + break; + } dscr.addr +=3D s->data_count - begin; if (s->data_count =3D=3D block_size) { s->data_count =3D 0; @@ -816,10 +820,13 @@ static void sdhci_do_adma(SDHCIState *s) s->data_count =3D block_size; length -=3D block_size - begin; } - dma_memory_read(s->dma_as, dscr.addr, - &s->fifo_buffer[begin], - s->data_count - begin, - MEMTXATTRS_UNSPECIFIED); + res =3D dma_memory_read(s->dma_as, dscr.addr, + &s->fifo_buffer[begin], + s->data_count - begin, + MEMTXATTRS_UNSPECIFIED); + if (res !=3D MEMTX_OK) { + break; + } dscr.addr +=3D s->data_count - begin; if (s->data_count =3D=3D block_size) { sdbus_write_data(&s->sdbus, s->fifo_buffer, block_= size); @@ -833,7 +840,16 @@ static void sdhci_do_adma(SDHCIState *s) } } } - s->admasysaddr +=3D dscr.incr; + if (res !=3D MEMTX_OK) { + if (s->errintstsen & SDHC_EISEN_ADMAERR) { + trace_sdhci_error("Set ADMA error flag"); + s->errintsts |=3D SDHC_EIS_ADMAERR; + s->norintsts |=3D SDHC_NIS_ERR; + } + sdhci_update_irq(s); + } else { + s->admasysaddr +=3D dscr.incr; + } break; case SDHC_ADMA_ATTR_ACT_LINK: /* link to next descriptor table */ s->admasysaddr =3D dscr.addr; --=20 2.27.0 From nobody Sun Feb 8 15:25:35 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 164788244541734.534576214060394; Mon, 21 Mar 2022 10:07:25 -0700 (PDT) Received: from localhost ([::1]:51960 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWLV5-0004mk-P8 for importer@patchew.org; Mon, 21 Mar 2022 13:07:23 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42440) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRd-0001pq-Fv for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:49 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:59832) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRb-00059G-5K for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:49 -0400 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-595-ZvkQZI2IMSym9vOCgpC51g-1; Mon, 21 Mar 2022 13:03:43 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E1BCD1C0B043; Mon, 21 Mar 2022 17:03:42 +0000 (UTC) Received: from thuth.com (unknown [10.39.195.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5D8F640C1257; Mon, 21 Mar 2022 17:03:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647882226; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AZnkYDrLKn2aQlBR9ldwfjO/dZAkNOjwwAi3aWEwJJI=; b=RW9CyIYYM+tPMJ+1XbosfxZ4gWTQtmTSFp38agZjHTJMtmgqo9ni9d2MAdSofZ8xMeKEeh e2/EW7piDLex7EFqXHBICzhqFic8NS15ZvlhExX0A9gjvRi+g98NhO92Xlo7kJZj3YGiu7 wmEp20OrJ8fNbbY0PjtbyNs5LpchW/o= X-MC-Unique: ZvkQZI2IMSym9vOCgpC51g-1 From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell Subject: [PULL 7/8] hw/sd/sdhci: Prohibit DMA accesses to devices Date: Mon, 21 Mar 2022 18:03:19 +0100 Message-Id: <20220321170320.282496-8-thuth@redhat.com> In-Reply-To: <20220321170320.282496-1-thuth@redhat.com> References: <20220321170320.282496-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=thuth@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-block@nongnu.org, Bin Meng , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , Gerd Hoffmann , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1647882448076100001 From: Philippe Mathieu-Daud=C3=A9 The issue reported by OSS-Fuzz produces the following backtrace: =3D=3D447470=3D=3DERROR: AddressSanitizer: heap-buffer-overflow READ of size 1 at 0x61500002a080 thread T0 #0 0x71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18 #1 0x7175f139 in sdhci_read hw/sd/sdhci.c:1022:19 #2 0x721b937b in memory_region_read_accessor softmmu/memory.c:440:11 #3 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 #4 0x7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16 #5 0x7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9 #6 0x7212db5d in flatview_read_continue softmmu/physmem.c:2879:23 #7 0x7212f958 in flatview_read softmmu/physmem.c:2921:12 #8 0x7212f418 in address_space_read_full softmmu/physmem.c:2934:18 #9 0x721305a9 in address_space_rw softmmu/physmem.c:2962:16 #10 0x7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #11 0x7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12 #12 0x71759684 in dma_memory_read include/sysemu/dma.h:152:12 #13 0x7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27 #14 0x7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13 #15 0x7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9 #16 0x717629ee in sdhci_write hw/sd/sdhci.c:1212:9 #17 0x72172513 in memory_region_write_accessor softmmu/memory.c:492:5 #18 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 #19 0x72170766 in memory_region_dispatch_write softmmu/memory.c:1504:= 16 #20 0x721419ee in flatview_write_continue softmmu/physmem.c:2812:23 #21 0x721301eb in flatview_write softmmu/physmem.c:2854:12 #22 0x7212fca8 in address_space_write softmmu/physmem.c:2950:18 #23 0x721d9a53 in qtest_process_command softmmu/qtest.c:727:9 A DMA descriptor is previously filled in RAM. An I/O access to the device (frames #22 to #16) start the DMA engine (frame #13). The engine fetch the descriptor and execute the request, which itself accesses the SDHCI I/O registers (frame #1 and #0), triggering a re-entrancy issue. Fix by prohibit transactions from the DMA to devices. The DMA engine is thus restricted to memories. Reported-by: OSS-Fuzz (Issue 36391) Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Thomas Huth Resolves: https://gitlab.com/qemu-project/qemu/-/issues/451 Message-Id: <20211215205656.488940-3-philmd@redhat.com> Signed-off-by: Thomas Huth --- hw/sd/sdhci.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index fe2f21f0c3..0e5e988927 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -741,6 +741,7 @@ static void sdhci_do_adma(SDHCIState *s) { unsigned int begin, length; const uint16_t block_size =3D s->blksize & BLOCK_SIZE_MASK; + const MemTxAttrs attrs =3D { .memory =3D true }; ADMADescr dscr =3D {}; MemTxResult res; int i; @@ -794,7 +795,7 @@ static void sdhci_do_adma(SDHCIState *s) res =3D dma_memory_write(s->dma_as, dscr.addr, &s->fifo_buffer[begin], s->data_count - begin, - MEMTXATTRS_UNSPECIFIED); + attrs); if (res !=3D MEMTX_OK) { break; } @@ -823,7 +824,7 @@ static void sdhci_do_adma(SDHCIState *s) res =3D dma_memory_read(s->dma_as, dscr.addr, &s->fifo_buffer[begin], s->data_count - begin, - MEMTXATTRS_UNSPECIFIED); + attrs); if (res !=3D MEMTX_OK) { break; } --=20 2.27.0 From nobody Sun Feb 8 15:25:35 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1647882656322714.5825767475217; Mon, 21 Mar 2022 10:10:56 -0700 (PDT) Received: from localhost ([::1]:60528 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWLYV-00029t-6j for importer@patchew.org; Mon, 21 Mar 2022 13:10:55 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42474) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRg-0001ra-E0 for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:55 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:44726) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWLRe-00059o-5c for qemu-devel@nongnu.org; Mon, 21 Mar 2022 13:03:51 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-164-GrR_PXGoNdOXcO1Nxg__Vw-1; Mon, 21 Mar 2022 13:03:46 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 06C7582A6C2; Mon, 21 Mar 2022 17:03:46 +0000 (UTC) Received: from thuth.com (unknown [10.39.195.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5389C4010A1C; Mon, 21 Mar 2022 17:03:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647882229; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DhuPmU9LJA8M+qjfjISBRbzoq636/OC0gkE+0xDHxo0=; b=TXlNfh+QQmaaG/d4vp2IphsVBNQhx1dtSNw6BfPK01mpMHHak7kpwIqEZxO8I3u9kXE+gp Bulp2+DQ4Pi9Hy7GEG89T5AcBS0y2O4rqddQwsJXpSZgreDDs5SJ5aEs8nNH2UMp0idE1+ 61un/H95t5FyrWKDgR7eEUxuf5d6IoA= X-MC-Unique: GrR_PXGoNdOXcO1Nxg__Vw-1 From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell Subject: [PULL 8/8] tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225) Date: Mon, 21 Mar 2022 18:03:20 +0100 Message-Id: <20220321170320.282496-9-thuth@redhat.com> In-Reply-To: <20220321170320.282496-1-thuth@redhat.com> References: <20220321170320.282496-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=thuth@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-block@nongnu.org, Bin Meng , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , Gerd Hoffmann , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1647882658910100001 From: Philippe Mathieu-Daud=C3=A9 Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/451. Without the previous commit, we get: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test =3D=3D447470=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on addres= s 0x61500002a080 at pc 0x564c71766d48 bp 0x7ffc126c62b0 sp 0x7ffc126c62a8 READ of size 1 at 0x61500002a080 thread T0 #0 0x564c71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18 #1 0x564c7175f139 in sdhci_read hw/sd/sdhci.c:1022:19 #2 0x564c721b937b in memory_region_read_accessor softmmu/memory.c:440= :11 #3 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 #4 0x564c7216f47c in memory_region_dispatch_read1 softmmu/memory.c:14= 24:16 #5 0x564c7216ebb9 in memory_region_dispatch_read softmmu/memory.c:145= 2:9 #6 0x564c7212db5d in flatview_read_continue softmmu/physmem.c:2879:23 #7 0x564c7212f958 in flatview_read softmmu/physmem.c:2921:12 #8 0x564c7212f418 in address_space_read_full softmmu/physmem.c:2934:18 #9 0x564c721305a9 in address_space_rw softmmu/physmem.c:2962:16 #10 0x564c7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #11 0x564c7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12 #12 0x564c71759684 in dma_memory_read include/sysemu/dma.h:152:12 #13 0x564c7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27 #14 0x564c7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13 #15 0x564c7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9 #16 0x564c717629ee in sdhci_write hw/sd/sdhci.c:1212:9 #17 0x564c72172513 in memory_region_write_accessor softmmu/memory.c:4= 92:5 #18 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:= 18 #19 0x564c72170766 in memory_region_dispatch_write softmmu/memory.c:1= 504:16 #20 0x564c721419ee in flatview_write_continue softmmu/physmem.c:2812:= 23 #21 0x564c721301eb in flatview_write softmmu/physmem.c:2854:12 #22 0x564c7212fca8 in address_space_write softmmu/physmem.c:2950:18 #23 0x564c721d9a53 in qtest_process_command softmmu/qtest.c:727:9 0x61500002a080 is located 0 bytes to the right of 512-byte region [0x6150= 00029e80,0x61500002a080) allocated by thread T0 here: #0 0x564c708e1737 in __interceptor_calloc (qemu-system-i386+0x1e6a737) #1 0x7ff05567b5e0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5a5e0) #2 0x564c71774adb in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5 SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:474:18 in s= dhci_read_dataport Shadow bytes around the buggy address: 0x0c2a7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x0c2a7fffd410:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffd420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Heap left redzone: fa Freed heap region: fd =3D=3D447470=3D=3DABORTING Broken pipe ERROR qtest-i386/fuzz-sdcard-test - too few tests run (expected 3, got 2) Signed-off-by: Philippe Mathieu-Daud=C3=A9 Acked-by: Thomas Huth Message-Id: <20211215205656.488940-4-philmd@redhat.com> [thuth: Replaced "-m 4G" with "-m 512M"] Signed-off-by: Thomas Huth --- tests/qtest/fuzz-sdcard-test.c | 76 ++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c index ae14305344..0f94965a66 100644 --- a/tests/qtest/fuzz-sdcard-test.c +++ b/tests/qtest/fuzz-sdcard-test.c @@ -87,6 +87,81 @@ static void oss_fuzz_36217(void) qtest_quit(s); } =20 +/* + * https://gitlab.com/qemu-project/qemu/-/issues/451 + * Used to trigger a heap buffer overflow. + */ +static void oss_fuzz_36391(void) +{ + QTestState *s; + + s =3D qtest_init(" -display none -m 512M -nodefaults -nographic" + " -device sdhci-pci,sd-spec-version=3D3" + " -device sd-card,drive=3Ddrv" + " -drive if=3Dnone,index=3D0,file=3Dnull-co://,format= =3Draw,id=3Ddrv"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xe0000000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x7); + qtest_bufwrite(s, 0xe0000005, "\x73", 0x1); + qtest_bufwrite(s, 0xe0000028, "\x55", 0x1); + qtest_bufwrite(s, 0xe000002c, "\x55", 0x1); + qtest_bufwrite(s, 0x0, "\x65", 0x1); + qtest_bufwrite(s, 0x7, "\x69", 0x1); + qtest_bufwrite(s, 0x8, "\x65", 0x1); + qtest_bufwrite(s, 0xf, "\x69", 0x1); + qtest_bufwrite(s, 0x10, "\x65", 0x1); + qtest_bufwrite(s, 0x17, "\x69", 0x1); + qtest_bufwrite(s, 0x18, "\x65", 0x1); + qtest_bufwrite(s, 0x1f, "\x69", 0x1); + qtest_bufwrite(s, 0x20, "\x65", 0x1); + qtest_bufwrite(s, 0x27, "\x69", 0x1); + qtest_bufwrite(s, 0x28, "\x65", 0x1); + qtest_bufwrite(s, 0x2f, "\x69", 0x1); + qtest_bufwrite(s, 0x30, "\x65", 0x1); + qtest_bufwrite(s, 0x37, "\x69", 0x1); + qtest_bufwrite(s, 0x38, "\x65", 0x1); + qtest_bufwrite(s, 0x3f, "\x69", 0x1); + qtest_bufwrite(s, 0x40, "\x65", 0x1); + qtest_bufwrite(s, 0x47, "\x69", 0x1); + qtest_bufwrite(s, 0x48, "\x65", 0x1); + qtest_bufwrite(s, 0xe000000c, "\x55", 0x1); + qtest_bufwrite(s, 0xe000000e, "\x2c", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x5b", 0x1); + qtest_bufwrite(s, 0xe0000010, "\x06\x46", 0x2); + qtest_bufwrite(s, 0x50, "\x65", 0x1); + qtest_bufwrite(s, 0x57, "\x69", 0x1); + qtest_bufwrite(s, 0x58, "\x65", 0x1); + qtest_bufwrite(s, 0x5f, "\x69", 0x1); + qtest_bufwrite(s, 0x60, "\x65", 0x1); + qtest_bufwrite(s, 0x67, "\x69", 0x1); + qtest_bufwrite(s, 0x68, "\x65", 0x1); + qtest_bufwrite(s, 0x6f, "\x69", 0x1); + qtest_bufwrite(s, 0x70, "\x65", 0x1); + qtest_bufwrite(s, 0x77, "\x69", 0x1); + qtest_bufwrite(s, 0x78, "\x65", 0x1); + qtest_bufwrite(s, 0x7f, "\x69", 0x1); + qtest_bufwrite(s, 0x80, "\x65", 0x1); + qtest_bufwrite(s, 0x87, "\x69", 0x1); + qtest_bufwrite(s, 0x88, "\x65", 0x1); + qtest_bufwrite(s, 0x8f, "\x69", 0x1); + qtest_bufwrite(s, 0x90, "\x65", 0x1); + qtest_bufwrite(s, 0x97, "\x69", 0x1); + qtest_bufwrite(s, 0x98, "\x65", 0x1); + qtest_bufwrite(s, 0xe0000026, "\x5a\x06", 0x2); + qtest_bufwrite(s, 0xe0000028, "\x46\xc0\xc9\xc9", 0x4); + qtest_bufwrite(s, 0xe0000028, "\x55", 0x1); + qtest_bufwrite(s, 0xe000002a, "\x5a", 0x1); + qtest_bufwrite(s, 0xa0, "\x65", 0x1); + qtest_bufwrite(s, 0xa5, "\xff", 0x1); + qtest_bufwrite(s, 0xa6, "\xff", 0x1); + qtest_bufwrite(s, 0xa7, "\xdf", 0x1); + qtest_bufwrite(s, 0xe000000c, "\x27", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x55", 0x1); + + qtest_quit(s); +} + int main(int argc, char **argv) { const char *arch =3D qtest_get_arch(); @@ -96,6 +171,7 @@ int main(int argc, char **argv) if (strcmp(arch, "i386") =3D=3D 0) { qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225); qtest_add_func("fuzz/sdcard/oss_fuzz_36217", oss_fuzz_36217); + qtest_add_func("fuzz/sdcard/oss_fuzz_36391", oss_fuzz_36391); } =20 return g_test_run(); --=20 2.27.0