From: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: "Alexander Bulekov" <alxndr@bu.edu>,
"Bin Meng" <bin.meng@windriver.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Bin Meng" <bmeng.cn@gmail.com>
Subject: [PULL 2/4] hw/sd/sdcard: Extract address_in_range() helper, log invalid accesses
Date: Sun, 11 Jul 2021 23:10:55 +0200 [thread overview]
Message-ID: <20210711211057.2714586-3-f4bug@amsat.org> (raw)
In-Reply-To: <20210711211057.2714586-1-f4bug@amsat.org>
Multiple commands have to check the address requested is valid.
Extract this code pattern as a new address_in_range() helper, and
log invalid accesses as guest errors.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210624142209.1193073-3-f4bug@amsat.org>
---
hw/sd/sd.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index d8fdf84f4db..9c8dd11bad1 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -937,6 +937,18 @@ static void sd_lock_command(SDState *sd)
sd->card_status &= ~CARD_IS_LOCKED;
}
+static bool address_in_range(SDState *sd, const char *desc,
+ uint64_t addr, uint32_t length)
+{
+ if (addr + length > sd->size) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s offset %lu > card %lu [%%%u]\n",
+ desc, addr, sd->size, length);
+ sd->card_status |= ADDRESS_ERROR;
+ return false;
+ }
+ return true;
+}
+
static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
{
uint32_t rca = 0x0000;
@@ -1218,8 +1230,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
switch (sd->state) {
case sd_transfer_state:
- if (addr + sd->blk_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
return sd_r1;
}
@@ -1264,8 +1275,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
switch (sd->state) {
case sd_transfer_state:
- if (addr + sd->blk_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
return sd_r1;
}
@@ -1325,8 +1335,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
switch (sd->state) {
case sd_transfer_state:
- if (addr >= sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
return sd_r1b;
}
@@ -1348,8 +1357,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
switch (sd->state) {
case sd_transfer_state:
- if (addr >= sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
return sd_r1b;
}
@@ -1826,8 +1834,8 @@ void sd_write_byte(SDState *sd, uint8_t value)
case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
if (sd->data_offset == 0) {
/* Start of the block - let's check the address is valid */
- if (sd->data_start + sd->blk_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
+ sd->data_start, sd->blk_len)) {
break;
}
if (sd->size <= SDSC_MAX_CAPACITY) {
@@ -1999,8 +2007,8 @@ uint8_t sd_read_byte(SDState *sd)
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
if (sd->data_offset == 0) {
- if (sd->data_start + io_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
+ sd->data_start, io_len)) {
return 0x00;
}
BLK_READ_BLOCK(sd->data_start, io_len);
--
2.31.1
next prev parent reply other threads:[~2021-07-11 21:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-11 21:10 [PULL 0/4] SD/MMC patches for 2021-07-11 Philippe Mathieu-Daudé
2021-07-11 21:10 ` [PULL 1/4] hw/sd/sdcard: When card is in wrong state, log which state it is Philippe Mathieu-Daudé
2021-07-11 21:10 ` Philippe Mathieu-Daudé [this message]
2021-07-11 21:10 ` [PULL 3/4] hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) Philippe Mathieu-Daudé
2021-07-11 21:10 ` [PULL 4/4] hw/sd: sdhci: Enable 64-bit system bus capability in the default SD/MMC host controller Philippe Mathieu-Daudé
2021-07-12 10:20 ` Philippe Mathieu-Daudé
2021-07-12 10:22 ` [PULL 0/4] SD/MMC patches for 2021-07-11 Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210711211057.2714586-3-f4bug@amsat.org \
--to=f4bug@amsat.org \
--cc=alxndr@bu.edu \
--cc=bin.meng@windriver.com \
--cc=bmeng.cn@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).