[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, C
|
From: |
Bin Meng |
|
Subject: |
Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409 |
|
Date: |
Tue, 16 Feb 2021 08:55:36 +0800 |
Hi Alex,
On Tue, Feb 16, 2021 at 12:48 AM Alexander Bulekov <alxndr@bu.edu> wrote:
>
> Hi Bin,
> Thank you for this. I ran through the OSS-Fuzz tests again, and it found
> one thing:
Thanks for testing. Are there instructions to run OSS-Fuzz tests myself?
> Maybe this is already much better than the current state of the code, so
> this one can be fixed in a later patch?
Depend on when Philippe can pick up this sereis, but I can also try to
have a quick look :)
>
> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
> -m 512M -nodefaults -device sdhci-pci,sd-spec-version=3 \
> -device sd-card,drive=mydrive \
> -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
> -nographic -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xe0000000
> outl 0xcf8 0x80001001
> outl 0xcfc 0x06000000
> write 0xe000002c 0x1 0x05
> write 0xe0000005 0x1 0x02
> write 0xe0000007 0x1 0x01
> write 0xe0000028 0x1 0x10
> write 0x0 0x1 0x23
> write 0x2 0x1 0x08
> write 0xe000000c 0x1 0x01
> write 0xe000000e 0x1 0x20
> write 0xe000000f 0x1 0x00
> write 0xe000000c 0x1 0x32
> write 0xe0000004 0x2 0x0200
> write 0xe0000028 0x1 0x00
> write 0xe0000003 0x1 0x40
> EOF
>
>
> ==1730971==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x615000031880 at pc 0x55d070f2c6d9 bp 0x7ffdcb63f130 sp 0x7ffdcb63f128
> READ of size 4 at 0x615000031880 thread T0
> #0 0x55d070f2c6d8 in ldl_he_p bswap.h:347:5
> #1 0x55d070f2c6d8 in ldn_he_p bswap.h:546:1
> #2 0x55d070f2c6d8 in flatview_write_continue
> build/../softmmu/physmem.c:2775:19
> #3 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
> #4 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18
> #5 0x55d07040de4a in dma_memory_rw_relaxed include/sysemu/dma.h:88:12
> #6 0x55d07040de4a in dma_memory_rw include/sysemu/dma.h:127:12
> #7 0x55d07040de4a in dma_memory_write include/sysemu/dma.h:163:12
> #8 0x55d07040de4a in sdhci_sdma_transfer_multi_blocks
> build/../hw/sd/sdhci.c:619:13
> #9 0x55d07041d15b in sdhci_write build/../hw/sd/sdhci.c:1134:21
> #10 0x55d07123b1ac in memory_region_write_accessor
> build/../softmmu/memory.c:491:5
> #11 0x55d07123acab in access_with_adjusted_size
> build/../softmmu/memory.c:552:18
> #12 0x55d07123a4b0 in memory_region_dispatch_write build/../softmmu/memory.c
> #13 0x55d070f2c29b in flatview_write_continue
> build/../softmmu/physmem.c:2776:23
> #14 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
> #15 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18
Regards,
Bin
- [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409, Bin Meng, 2021/02/15
- [PATCH 1/4] hw/sd: sdhci: Don't transfer any data when command time out, Bin Meng, 2021/02/15
- [PATCH 2/4] hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress, Bin Meng, 2021/02/15
- [PATCH 3/4] hw/sd: sdhci: Correctly set the controller status for ADMA, Bin Meng, 2021/02/15
- [PATCH 4/4] hw/sd: sdhci: Simplify updating s->prnsts in sdhci_sdma_transfer_multi_blocks(), Bin Meng, 2021/02/15
- Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409, Alexander Bulekov, 2021/02/15
- Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409,
Bin Meng <=