qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 2a0396: hw/sd/sdcard: Document out-of-range a

From: Peter Maydell
Subject: [Qemu-commits] [qemu/qemu] 2a0396: hw/sd/sdcard: Document out-of-range addresses for ...
Date: Wed, 04 Aug 2021 05:53:34 -0700 
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 2a0396285daa9483459ec1d3791951300b595e85
      
https://github.com/qemu/qemu/commit/2a0396285daa9483459ec1d3791951300b595e85
  Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
  Date:   2021-08-03 (Tue, 03 Aug 2021)

  Changed paths:
    M hw/sd/sd.c

  Log Message:
  -----------
  hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT

Per the 'Physical Layer Simplified Specification Version 3.01',
Table 4-22: 'Block Oriented Write Protection Commands'

  SEND_WRITE_PROT (CMD30)

  If the card provides write protection features, this command asks
  the card to send the status of the write protection bits [1].

  [1] 32 write protection bits (representing 32 write protect groups
  starting at the specified address) [...]
  The last (least significant) bit of the protection bits corresponds
  to the first addressed group. If the addresses of the last groups
  are outside the valid range, then the corresponding write protection
  bits shall be set to 0.

Split the if() statement (without changing the behaviour of the code)
to better position the description comment.

Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210802235524.3417739-2-f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>


  Commit: 4ac0b72bae85cf94ae0e5153b9c2c288c71667d4
      
https://github.com/qemu/qemu/commit/4ac0b72bae85cf94ae0e5153b9c2c288c71667d4
  Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
  Date:   2021-08-03 (Tue, 03 Aug 2021)

  Changed paths:
    M hw/sd/sd.c
    M tests/qtest/fuzz-sdcard-test.c

  Log Message:
  -----------
  hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30

OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers the assertion added in commit 84816fb63e5
("hw/sd/sdcard: Assert if accessing an illegal group"):

  qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t 
sd_wpbits(SDState *, uint64_t):
  Assertion `wpnum < sd->wpgrps_size' failed.
  #3 0x7f62a8b22c91 in __assert_fail
  #4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9
  #5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38
  #6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17
  #7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16
  #8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12
  #9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9
  #10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5

It is legal for the CMD30 to query for out-of-range addresses.
Such invalid addresses are simply ignored in the response (write
protection bits set to 0).

In commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal
group") we misplaced the assertion *before* we test the address is
in range. Move it *after*.

Include the qtest reproducer provided by Alexander Bulekov:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < 
sd->wpgrps_size' failed.

Cc: qemu-stable@nongnu.org
Reported-by: OSS-Fuzz (Issue 29225)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210802235524.3417739-3-f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>


  Commit: 700d82c9bc6c1c53d5f501fc2d099d28da0cef7a
      
https://github.com/qemu/qemu/commit/700d82c9bc6c1c53d5f501fc2d099d28da0cef7a
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2021-08-04 (Wed, 04 Aug 2021)

  Changed paths:
    M hw/sd/sd.c
    M tests/qtest/fuzz-sdcard-test.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210803' into staging

SD/MMC patches queue

- sdcard: Fix assertion accessing out-of-range addresses
  with SEND_WRITE_PROT (CMD30)

# gpg: Signature made Tue 03 Aug 2021 18:38:03 BST
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" 
[full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* remotes/philmd/tags/sdmmc-20210803:
  hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30
  hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/ef6607edf005...700d82c9bc6c
reply via email to
[Prev in Thread] Current Thread [Next in Thread]