From nobody Sun Nov 24 16:56:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1722331363; cv=none; d=zohomail.com; s=zohoarc; b=NVkqoDiyO4meLPqZwhIJYiSOd3OG2Nnb9Gu/5S6pwaMdXF8+VK6xJNOgyX8ONFL+bE52iPLYPXtbMNyumo08acStzbUeCRKl3XRv8v5Xi/YHNjo53vqVtbQ8YdJZcOPzYaEpb8U2S9otB13MWxf3Po8e4/Ltrkioxz3GtsIAh2w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1722331363; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=vNkJJhtqcxfGEvl8U9EJzFqc2LtYmhOZWYrWmgfKr40=; b=R+x5a93Feo+TTkyuwTrkERkHhQEP4DGU1ffHERQkBHa0uKgqYIdarfIBtCl47fBCCemtv6oY9669Yow0hNJ3X90fqNitTy2W9GdpeHiZ/NzCWn5Xz+aAV89wUrUZptwBy4gkiyPBPqCH5XvE9lHoi488/brznYALj7u9Xs4oH6Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1722331363373669.4493752920117; Tue, 30 Jul 2024 02:22:43 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sYj3s-0001pc-1M; Tue, 30 Jul 2024 05:22:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sYj3q-0001lG-Tv for qemu-devel@nongnu.org; Tue, 30 Jul 2024 05:22:26 -0400 Received: from mail-lj1-x231.google.com ([2a00:1450:4864:20::231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sYj3o-0005oI-Iv for qemu-devel@nongnu.org; Tue, 30 Jul 2024 05:22:26 -0400 Received: by mail-lj1-x231.google.com with SMTP id 38308e7fff4ca-2ef2c56da6cso51584791fa.1 for ; Tue, 30 Jul 2024 02:22:24 -0700 (PDT) Received: from localhost.localdomain (82.red-88-28-10.dynamicip.rima-tde.net. [88.28.10.82]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4281dae1479sm59492875e9.44.2024.07.30.02.22.20 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Tue, 30 Jul 2024 02:22:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1722331342; x=1722936142; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vNkJJhtqcxfGEvl8U9EJzFqc2LtYmhOZWYrWmgfKr40=; b=sqFd78I0QhwN3P/m/Sul+MmFaL7X+TKK4KDOBGpE0+qKlM9w01HYixRRhoy8DULc4B bD5g/xtxX3QPBwM2W2Y61cV3x6DuPiufYVymrYrbUqNFoK3NX3T6A3CzChsae63rin7Y qpRG6zQp7ZNbj0Uw8iODRsrPJChuQnXgQcWQuJF1g7gCqU4Sc0tKrXol+Dy+Ui/jQVdo TpFWU/32vrD6EylrlXhcmVYTL/1/2n4rYu3cFDUz0+7e2VDqm9c2E/B9Ub+XjBE+50TX 2xvWzjo+HOYKxL3S+v5M+3uEwhhEib1EUjrG+wISC8nKT+EZWRPRQlVOAD1B4by80T3J oWOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722331342; x=1722936142; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vNkJJhtqcxfGEvl8U9EJzFqc2LtYmhOZWYrWmgfKr40=; b=ZcZXOuE9oruflp/84yt4xDMe32GYSr3zGJ/yC5OtaxZAN8qFS3pXrVobEwwyEo66+X Bpg+PVY4VOXZ1pA2jc32LEi47qJgE3v+Spm4hc4vAkrMUOSGuIUWvhydrP/3ScpGV8pq 9rrRJqg+WIqOK/n5hu0OIJviU4ezMy0YhslxCBE7PVA+miAz5LAypdAjR+4tqTc1fMrM EWldicf8i5BqBQDTcr3m24gOjZ2jIWci9LPDJVGAlxUp59OGoQ71tgGYZapwuUItUI1n VA2b+Nrxs4o2T8DUQm/0FSLlDtHYAVu4CL/kJvCo6gn1CyW9YYKAceukAE/dGI4z0I0J Z4qg== X-Gm-Message-State: AOJu0YzkGBg+VcUm3wBZ9aLGuiOjPim5vDtQzAU43cIdfD+hI58PkEhS 5sekzNAVQ5oc0RN3VsRR4uQ2G7ijPOGddxZ/IZIppFsBPAXrb87Mez4yjNNfOrBuQI6/rW36K+/ nd9Y= X-Google-Smtp-Source: AGHT+IEXmRZlm7i9STjSm0m4HcoPoH5PGsuk6ZyzSgN1qlDvC+p2ExfgyiMI5QK0XJRePPKuSB8FZA== X-Received: by 2002:a2e:9608:0:b0:2ef:2f17:9edd with SMTP id 38308e7fff4ca-2f12ee2f188mr65928521fa.44.1722331342158; Tue, 30 Jul 2024 02:22:22 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Bin Meng , Zheyu Ma , qemu-block@nongnu.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org Subject: [PATCH-for-9.1 5/5] hw/sd/sdhci: Check ADMA descriptors can be accessed Date: Tue, 30 Jul 2024 11:21:38 +0200 Message-ID: <20240730092138.32443-6-philmd@linaro.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240730092138.32443-1-philmd@linaro.org> References: <20240730092138.32443-1-philmd@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::231; envelope-from=philmd@linaro.org; helo=mail-lj1-x231.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1722331363955116600 Since malicious guest can write invalid addresses to the ADMASYSADDR register, we need to check whether the descriptor could be correctly filled or not. Cc: qemu-stable@nongnu.org Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller") Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/sd/sdhci.c | 86 ++++++++++++++++++++++++++-------------------- hw/sd/trace-events | 2 +- 2 files changed, 49 insertions(+), 39 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 66b9364e9e..eb0476b9aa 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -698,53 +698,62 @@ static void trace_adma_description(const char *type, = const ADMADescr *dscr) trace_sdhci_adma_desc(type, dscr->addr, dscr->length, dscr->attr, dscr= ->incr); } =20 -static void get_adma_description(SDHCIState *s, ADMADescr *dscr) +static MemTxResult get_adma_description(SDHCIState *s, ADMADescr *dscr) { uint32_t adma1 =3D 0; uint64_t adma2 =3D 0; hwaddr entry_addr =3D (hwaddr)s->admasysaddr; + MemTxResult res; + switch (SDHC_DMA_TYPE(s->hostctl1)) { case SDHC_CTRL_ADMA2_32: - dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2), - MEMTXATTRS_UNSPECIFIED); - adma2 =3D le64_to_cpu(adma2); - /* The spec does not specify endianness of descriptor table. - * We currently assume that it is LE. - */ - dscr->addr =3D (hwaddr)extract64(adma2, 32, 32) & ~0x3ull; - dscr->length =3D (uint16_t)extract64(adma2, 16, 16); - dscr->attr =3D (uint8_t)extract64(adma2, 0, 7); - dscr->incr =3D 8; - trace_adma_description("ADMA2_32", dscr); + res =3D dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma= 2), + MEMTXATTRS_UNSPECIFIED); + if (res =3D=3D MEMTX_OK) { + adma2 =3D le64_to_cpu(adma2); + /* The spec does not specify endianness of descriptor table. + * We currently assume that it is LE. + */ + dscr->addr =3D (hwaddr)extract64(adma2, 32, 32) & ~0x3ull; + dscr->length =3D (uint16_t)extract64(adma2, 16, 16); + dscr->attr =3D (uint8_t)extract64(adma2, 0, 7); + dscr->incr =3D 8; + trace_adma_description("ADMA2_32", dscr); + } break; case SDHC_CTRL_ADMA1_32: - dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1), - MEMTXATTRS_UNSPECIFIED); - adma1 =3D le32_to_cpu(adma1); - dscr->addr =3D (hwaddr)(adma1 & 0xFFFFF000); - dscr->attr =3D (uint8_t)extract32(adma1, 0, 7); - dscr->incr =3D 4; - if ((dscr->attr & SDHC_ADMA_ATTR_ACT_MASK) =3D=3D SDHC_ADMA_ATTR_S= ET_LEN) { - dscr->length =3D (uint16_t)extract32(adma1, 12, 16); - } else { - dscr->length =3D 4 * KiB; + res =3D dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma= 1), + MEMTXATTRS_UNSPECIFIED); + if (res =3D=3D MEMTX_OK) { + adma1 =3D le32_to_cpu(adma1); + dscr->addr =3D (hwaddr)(adma1 & ~0xfff); + dscr->attr =3D (uint8_t)extract32(adma1, 0, 7); + dscr->incr =3D 4; + if ((dscr->attr & SDHC_ADMA_ATTR_ACT_MASK) =3D=3D SDHC_ADMA_AT= TR_SET_LEN) { + dscr->length =3D (uint16_t)extract32(adma1, 12, 16); + } else { + dscr->length =3D 4 * KiB; + } + trace_adma_description("ADMA1_32", dscr); } - trace_adma_description("ADMA1_32", dscr); break; case SDHC_CTRL_ADMA2_64: - dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1, - MEMTXATTRS_UNSPECIFIED); - dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2, - MEMTXATTRS_UNSPECIFIED); - dscr->length =3D le16_to_cpu(dscr->length); - dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8, - MEMTXATTRS_UNSPECIFIED); - dscr->addr =3D le64_to_cpu(dscr->addr); - dscr->attr &=3D (uint8_t) ~0xC0; - dscr->incr =3D 12; - trace_adma_description("ADMA2_64", dscr); + res =3D dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1, + MEMTXATTRS_UNSPECIFIED); + res |=3D dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length,= 2, + MEMTXATTRS_UNSPECIFIED); + res |=3D dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8, + MEMTXATTRS_UNSPECIFIED); + if (res =3D=3D MEMTX_OK) { + dscr->length =3D le16_to_cpu(dscr->length); + dscr->addr =3D le64_to_cpu(dscr->addr); + dscr->attr &=3D (uint8_t) ~0xc0; + dscr->incr =3D 12; + trace_adma_description("ADMA2_64", dscr); + } break; } + return res; } =20 /* Advanced DMA data transfer */ @@ -755,7 +764,6 @@ static void sdhci_do_adma(SDHCIState *s) const uint16_t block_size =3D s->blksize & BLOCK_SIZE_MASK; const MemTxAttrs attrs =3D { .memory =3D true }; ADMADescr dscr =3D {}; - MemTxResult res; int i; =20 if (s->trnmod & SDHC_TRNS_BLK_CNT_EN && !s->blkcnt) { @@ -765,12 +773,14 @@ static void sdhci_do_adma(SDHCIState *s) } =20 for (i =3D 0; i < SDHC_ADMA_DESCS_PER_DELAY; ++i) { + MemTxResult res; + s->admaerr &=3D ~SDHC_ADMAERR_LENGTH_MISMATCH; =20 - get_adma_description(s, &dscr); - trace_sdhci_adma_loop(dscr.addr, dscr.length, dscr.attr); + res =3D get_adma_description(s, &dscr); + trace_sdhci_adma_loop(dscr.addr, dscr.length, dscr.attr, res); =20 - if ((dscr.attr & SDHC_ADMA_ATTR_VALID) =3D=3D 0) { + if (res !=3D MEMTX_OK || (dscr.attr & SDHC_ADMA_ATTR_VALID) =3D=3D= 0) { /* Indicate that error occurred in ST_FDS state */ s->admaerr &=3D ~SDHC_ADMAERR_STATE_MASK; s->admaerr |=3D SDHC_ADMAERR_STATE_ST_FDS; diff --git a/hw/sd/trace-events b/hw/sd/trace-events index 3d3f5c1cb7..a802a717b9 100644 --- a/hw/sd/trace-events +++ b/hw/sd/trace-events @@ -29,7 +29,7 @@ sdhci_response4(uint32_t r0) "RSPREG[31..0]=3D0x%08x" sdhci_response16(uint32_t r3, uint32_t r2, uint32_t r1, uint32_t r0) "RSPR= EG[127..96]=3D0x%08x, RSPREG[95..64]=3D0x%08x, RSPREG[63..32]=3D0x%08x, RSP= REG[31..0]=3D0x%08x" sdhci_end_transfer(uint8_t cmd, uint32_t arg) "Automatically issue CMD%02u= 0x%08x" sdhci_adma(const char *desc, uint32_t sysad) "%s: admasysaddr=3D0x%" PRIx32 -sdhci_adma_loop(uint64_t addr, uint16_t length, uint8_t attr) "addr=3D0x%0= 8" PRIx64 ", len=3D%d, attr=3D0x%x" +sdhci_adma_loop(uint64_t addr, uint16_t length, uint8_t attr, uint32_t res= ) "addr=3D0x%08" PRIx64 ", len=3D%d, attr=3D0x%x, res=3D%" PRIu32 sdhci_adma_transfer_completed(void) "" sdhci_access(const char *access, unsigned int size, uint64_t offset, const= char *dir, uint64_t val, uint64_t val2) "%s%u: addr[0x%04" PRIx64 "] %s 0x= %08" PRIx64 " (%" PRIu64 ")" sdhci_read_dataport(uint16_t data_count) "all %u bytes of data have been r= ead from input buffer" --=20 2.45.2