[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH-for-6.1 2/3] hw/sd/sdcard: Fix assertion accessing out-of-ran
From: |
Philippe Mathieu-Daudé |
Subject: |
Re: [PATCH-for-6.1 2/3] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30 |
Date: |
Mon, 2 Aug 2021 12:52:35 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 |
Peter, Bin, could you review this (trivial) patch?
This is a regression since 6.1 I'd like to get fixed
for v6.1.0-rc2.
On 7/28/21 8:17 PM, Philippe Mathieu-Daudé wrote:
> OSS-Fuzz found sending illegal addresses when querying the write
> protection bits triggers the assertion added in commit 84816fb63e5
> ("hw/sd/sdcard: Assert if accessing an illegal group"):
>
> qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t
> sd_wpbits(SDState *, uint64_t):
> Assertion `wpnum < sd->wpgrps_size' failed.
> #3 0x7f62a8b22c91 in __assert_fail
> #4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9
> #5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38
> #6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17
> #7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16
> #8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12
> #9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9
> #10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5
>
> It is legal for the CMD30 to query for out-of-range addresses.
> Such invalid addresses are simply ignored in the response (write
> protection bits set to 0).
>
> Note, we had an off-by-one in the wpgrps_size check since commit
> a1bb27b1e98. Since we have a total of 'wpgrps_size' bits, the latest
> valid group bit is 'wpgrps_size - 1'.
>
> Since we now check the group bit is in range, remove the assertion.
>
> Include the qtest reproducer provided by Alexander Bulekov:
>
> $ make check-qtest-i386
> ...
> Running test qtest-i386/fuzz-sdcard-test
> qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum <
> sd->wpgrps_size' failed.
>
> Cc: qemu-stable@nongnu.org
> Reported-by: OSS-Fuzz (Issue 29225)
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> hw/sd/sd.c | 4 ++--
> tests/qtest/fuzz-sdcard-test.c | 36 ++++++++++++++++++++++++++++++++++
> 2 files changed, 38 insertions(+), 2 deletions(-)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 707dcc12a14..273af75c1be 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -820,8 +820,8 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
>
> wpnum = sd_addr_to_wpnum(addr);
>
> - for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
> - assert(wpnum < sd->wpgrps_size);
> + for (i = 0; i < 32 && wpnum < sd->wpgrps_size - 1;
> + i++, wpnum++, addr += WPGROUP_SIZE) {
> if (addr >= sd->size) {
> /*
> * If the addresses of the last groups are outside the valid
> range,
> diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c
> index 96602eac7e5..ae14305344a 100644
> --- a/tests/qtest/fuzz-sdcard-test.c
> +++ b/tests/qtest/fuzz-sdcard-test.c
> @@ -52,6 +52,41 @@ static void oss_fuzz_29225(void)
> qtest_quit(s);
> }
>
> +/*
> + * https://gitlab.com/qemu-project/qemu/-/issues/495
> + * Used to trigger:
> + * Assertion `wpnum < sd->wpgrps_size' failed.
> + */
> +static void oss_fuzz_36217(void)
> +{
> + QTestState *s;
> +
> + s = qtest_init(" -display none -m 32 -nodefaults -nographic"
> + " -device sdhci-pci,sd-spec-version=3 "
> + "-device sd-card,drive=d0 "
> + "-drive
> if=none,index=0,file=null-co://,format=raw,id=d0");
> +
> + qtest_outl(s, 0xcf8, 0x80001010);
> + qtest_outl(s, 0xcfc, 0xe0000000);
> + qtest_outl(s, 0xcf8, 0x80001004);
> + qtest_outw(s, 0xcfc, 0x02);
> + qtest_bufwrite(s, 0xe000002c, "\x05", 0x1);
> + qtest_bufwrite(s, 0xe000000f, "\x37", 0x1);
> + qtest_bufwrite(s, 0xe000000a, "\x01", 0x1);
> + qtest_bufwrite(s, 0xe000000f, "\x29", 0x1);
> + qtest_bufwrite(s, 0xe000000f, "\x02", 0x1);
> + qtest_bufwrite(s, 0xe000000f, "\x03", 0x1);
> + qtest_bufwrite(s, 0xe0000005, "\x01", 0x1);
> + qtest_bufwrite(s, 0xe000000f, "\x06", 0x1);
> + qtest_bufwrite(s, 0xe000000c, "\x05", 0x1);
> + qtest_bufwrite(s, 0xe000000e, "\x20", 0x1);
> + qtest_bufwrite(s, 0xe000000f, "\x08", 0x1);
> + qtest_bufwrite(s, 0xe000000b, "\x3d", 0x1);
> + qtest_bufwrite(s, 0xe000000f, "\x1e", 0x1);
> +
> + qtest_quit(s);
> +}
> +
> int main(int argc, char **argv)
> {
> const char *arch = qtest_get_arch();
> @@ -60,6 +95,7 @@ int main(int argc, char **argv)
>
> if (strcmp(arch, "i386") == 0) {
> qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225);
> + qtest_add_func("fuzz/sdcard/oss_fuzz_36217", oss_fuzz_36217);
> }
>
> return g_test_run();
>
- Re: [PATCH-for-6.1 2/3] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30,
Philippe Mathieu-Daudé <=