From: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: "Laurent Vivier" <lvivier@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Thomas Huth" <thuth@redhat.com>,
qemu-block@nongnu.org, "Bin Meng" <bin.meng@windriver.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
qemu-stable@nongnu.org, "Alexander Bulekov" <alxndr@bu.edu>,
"Bandan Das" <bsd@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>
Subject: [PULL 2/2] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30
Date: Tue, 3 Aug 2021 19:39:22 +0200 [thread overview]
Message-ID: <20210803173922.3599280-3-f4bug@amsat.org> (raw)
In-Reply-To: <20210803173922.3599280-1-f4bug@amsat.org>
OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers the assertion added in commit 84816fb63e5
("hw/sd/sdcard: Assert if accessing an illegal group"):
qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t):
Assertion `wpnum < sd->wpgrps_size' failed.
#3 0x7f62a8b22c91 in __assert_fail
#4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9
#5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38
#6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17
#7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16
#8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12
#9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9
#10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5
It is legal for the CMD30 to query for out-of-range addresses.
Such invalid addresses are simply ignored in the response (write
protection bits set to 0).
In commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal
group") we misplaced the assertion *before* we test the address is
in range. Move it *after*.
Include the qtest reproducer provided by Alexander Bulekov:
$ make check-qtest-i386
...
Running test qtest-i386/fuzz-sdcard-test
qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.
Cc: qemu-stable@nongnu.org
Reported-by: OSS-Fuzz (Issue 29225)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210802235524.3417739-3-f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
---
hw/sd/sd.c | 2 +-
tests/qtest/fuzz-sdcard-test.c | 36 ++++++++++++++++++++++++++++++++++
2 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 707dcc12a14..bb5dbff68c0 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -821,7 +821,6 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
wpnum = sd_addr_to_wpnum(addr);
for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
- assert(wpnum < sd->wpgrps_size);
if (addr >= sd->size) {
/*
* If the addresses of the last groups are outside the valid range,
@@ -829,6 +828,7 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
*/
continue;
}
+ assert(wpnum < sd->wpgrps_size);
if (test_bit(wpnum, sd->wp_groups)) {
ret |= (1 << i);
}
diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c
index 96602eac7e5..ae14305344a 100644
--- a/tests/qtest/fuzz-sdcard-test.c
+++ b/tests/qtest/fuzz-sdcard-test.c
@@ -52,6 +52,41 @@ static void oss_fuzz_29225(void)
qtest_quit(s);
}
+/*
+ * https://gitlab.com/qemu-project/qemu/-/issues/495
+ * Used to trigger:
+ * Assertion `wpnum < sd->wpgrps_size' failed.
+ */
+static void oss_fuzz_36217(void)
+{
+ QTestState *s;
+
+ s = qtest_init(" -display none -m 32 -nodefaults -nographic"
+ " -device sdhci-pci,sd-spec-version=3 "
+ "-device sd-card,drive=d0 "
+ "-drive if=none,index=0,file=null-co://,format=raw,id=d0");
+
+ qtest_outl(s, 0xcf8, 0x80001010);
+ qtest_outl(s, 0xcfc, 0xe0000000);
+ qtest_outl(s, 0xcf8, 0x80001004);
+ qtest_outw(s, 0xcfc, 0x02);
+ qtest_bufwrite(s, 0xe000002c, "\x05", 0x1);
+ qtest_bufwrite(s, 0xe000000f, "\x37", 0x1);
+ qtest_bufwrite(s, 0xe000000a, "\x01", 0x1);
+ qtest_bufwrite(s, 0xe000000f, "\x29", 0x1);
+ qtest_bufwrite(s, 0xe000000f, "\x02", 0x1);
+ qtest_bufwrite(s, 0xe000000f, "\x03", 0x1);
+ qtest_bufwrite(s, 0xe0000005, "\x01", 0x1);
+ qtest_bufwrite(s, 0xe000000f, "\x06", 0x1);
+ qtest_bufwrite(s, 0xe000000c, "\x05", 0x1);
+ qtest_bufwrite(s, 0xe000000e, "\x20", 0x1);
+ qtest_bufwrite(s, 0xe000000f, "\x08", 0x1);
+ qtest_bufwrite(s, 0xe000000b, "\x3d", 0x1);
+ qtest_bufwrite(s, 0xe000000f, "\x1e", 0x1);
+
+ qtest_quit(s);
+}
+
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
@@ -60,6 +95,7 @@ int main(int argc, char **argv)
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225);
+ qtest_add_func("fuzz/sdcard/oss_fuzz_36217", oss_fuzz_36217);
}
return g_test_run();
--
2.31.1
next prev parent reply other threads:[~2021-08-03 17:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-03 17:39 [PULL 0/2] SD/MMC patches for 2021-08-03 Philippe Mathieu-Daudé
2021-08-03 17:39 ` [PULL 1/2] hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT Philippe Mathieu-Daudé
2021-08-03 17:39 ` Philippe Mathieu-Daudé [this message]
2021-08-04 12:52 ` [PULL 0/2] SD/MMC patches for 2021-08-03 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210803173922.3599280-3-f4bug@amsat.org \
--to=f4bug@amsat.org \
--cc=alxndr@bu.edu \
--cc=bin.meng@windriver.com \
--cc=bsd@redhat.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).