From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Bin Meng" <bin.meng@windriver.com>,
"Hanna Reitz" <hreitz@redhat.com>,
"David Hildenbrand" <david@redhat.com>,
"Kevin Wolf" <kwolf@redhat.com>,
qemu-block@nongnu.org, "Peter Xu" <peterx@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
RivenDell <XRivenDell@outlook.com>,
"Siqi Chen" <coc.cyqh@gmail.com>,
ningqiang <ningqiang1@huawei.com>,
"Mauro Matteo Cascella" <mcascell@redhat.com>
Subject: [PULL 2/3] hw/sd/sdhci: Do not set Buf Wr Ena before writing block (CVE-2022-3872)
Date: Tue, 8 Nov 2022 19:33:51 +0100 [thread overview]
Message-ID: <20221108183352.9466-3-philmd@linaro.org> (raw)
In-Reply-To: <20221108183352.9466-1-philmd@linaro.org>
When sdhci_write_block_to_card() is called to transfer data from
the FIFO to the SD bus, the data is already present in the buffer
and we have to consume it directly.
See the description of the 'Buffer Write Enable' bit from the
'Present State' register (prnsts::SDHC_SPACE_AVAILABLE) in Table
2.14 from the SDHCI spec v2:
Buffer Write Enable
This status is used for non-DMA write transfers.
The Host Controller can implement multiple buffers to transfer
data efficiently. This read only flag indicates if space is
available for write data. If this bit is 1, data can be written
to the buffer. A change of this bit from 1 to 0 occurs when all
the block data is written to the buffer. A change of this bit
from 0 to 1 occurs when top of block data can be written to the
buffer and generates the Buffer Write Ready interrupt.
In our case, we do not want to overwrite the buffer, so we want
this bit to be 0, then set it to 1 once the data is written onto
the bus.
This is probably a copy/paste error from commit d7dfca0807
("hw/sdhci: introduce standard SD host controller").
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45986#c4
Reproducers:
$ cat << EOF | \
qemu-system-x86_64 -nodefaults -display none -machine accel=qtest \
-m 512M -device sdhci-pci -device sd-card,drive=mydrive \
-drive if=none,index=0,file=null-co://,format=raw,id=mydrive \
-nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xe0000058 0x1 0x6e
write 0xe0000059 0x1 0x5a
write 0xe0000028 0x1 0x10
write 0xe000002c 0x1 0x05
write 0x5a6e 0x1 0x21
write 0x5a75 0x1 0x20
write 0xe0000005 0x1 0x02
write 0xe000000c 0x1 0x01
write 0xe000000e 0x1 0x20
write 0xe000000f 0x1 0x00
write 0xe000000c 0x1 0x00
write 0xe0000020 0x1 0x00
EOF
or https://lore.kernel.org/qemu-devel/CAA8xKjXrmS0fkr28AKvNNpyAtM0y0B+5FichpsrhD+mUgnuyKg@mail.gmail.com/
Fixes: CVE-2022-3872
Reported-by: RivenDell <XRivenDell@outlook.com>
Reported-by: Siqi Chen <coc.cyqh@gmail.com>
Reported-by: ningqiang <ningqiang1@huawei.com>
Reported-by: ClusterFuzz
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20221107221236.47841-2-philmd@linaro.org>
---
hw/sd/sdhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 306070c872..f230e7475f 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -954,7 +954,7 @@ static void sdhci_data_transfer(void *opaque)
sdhci_read_block_from_card(s);
} else {
s->prnsts |= SDHC_DOING_WRITE | SDHC_DAT_LINE_ACTIVE |
- SDHC_SPACE_AVAILABLE | SDHC_DATA_INHIBIT;
+ SDHC_DATA_INHIBIT;
sdhci_write_block_to_card(s);
}
}
--
2.38.1
next prev parent reply other threads:[~2022-11-08 18:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-08 18:33 [PULL 0/3] Memory/SDHCI/ParallelFlash patches for v7.2.0-rc0 Philippe Mathieu-Daudé
2022-11-08 18:33 ` [PULL 1/3] memory: Fix wrong end address dump Philippe Mathieu-Daudé
2022-11-08 18:33 ` Philippe Mathieu-Daudé [this message]
2022-11-08 18:33 ` [PULL 3/3] Revert "hw/block/pflash_cfi: Error out if dev length isn't power of 2" Philippe Mathieu-Daudé
2022-11-08 20:49 ` [PULL 0/3] Memory/SDHCI/ParallelFlash patches for v7.2.0-rc0 Stefan Hajnoczi
2022-11-08 20:57 ` Stefan Hajnoczi
2022-11-09 7:43 ` Philippe Mathieu-Daudé
2023-12-21 21:19 ` Salvatore Bonaccorso
2025-06-24 4:43 ` Philippe Mathieu-Daudé
2025-07-01 15:48 ` T K Sourabh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221108183352.9466-3-philmd@linaro.org \
--to=philmd@linaro.org \
--cc=XRivenDell@outlook.com \
--cc=bin.meng@windriver.com \
--cc=coc.cyqh@gmail.com \
--cc=david@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=mcascell@redhat.com \
--cc=ningqiang1@huawei.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).