* [PATCH-for-9.0? 0/2] hw/sd/sdcard: Avoid OOB in sd_read_byte()
@ 2024-04-08 14:17 Philippe Mathieu-Daudé
2024-04-08 14:17 ` [RFC PATCH-for-9.0? 1/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch Philippe Mathieu-Daudé
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-04-08 14:17 UTC (permalink / raw)
To: qemu-devel
Cc: Bin Meng, qemu-arm, Philippe Mathieu-Daudé,
Alexander Bulekov, qemu-block
Since this is Fix day, I went over this old bug:
https://gitlab.com/qemu-project/qemu/-/issues/487
It happens to be a QEMU implementation detail not
really related to the spec.
Philippe Mathieu-Daudé (2):
hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch
hw/sd/sdcard: Assert @data_offset is in range
hw/sd/sd.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--
2.41.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [RFC PATCH-for-9.0? 1/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch
2024-04-08 14:17 [PATCH-for-9.0? 0/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() Philippe Mathieu-Daudé
@ 2024-04-08 14:17 ` Philippe Mathieu-Daudé
2024-04-08 14:17 ` [PATCH-for-9.1 2/2] hw/sd/sdcard: Assert @data_offset is in range Philippe Mathieu-Daudé
2024-06-20 13:59 ` [PATCH-for-9.0? 0/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() Philippe Mathieu-Daudé
2 siblings, 0 replies; 5+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-04-08 14:17 UTC (permalink / raw)
To: qemu-devel
Cc: Bin Meng, qemu-arm, Philippe Mathieu-Daudé,
Alexander Bulekov, qemu-block
For multi-bytes commands, our implementation uses the @data_start
and @data_offset fields to track byte access. We initialize the
command start/offset in buffer once. Malicious guest might abuse
by switching command while staying in the 'transfer' state, switching
command buffer size, and our implementation can access out of buffer
boundary. For example, CMD17 (READ_SINGLE_BLOCK) allows to read up to
512 bytes, and CMD13 (SEND_STATUS) up to 64 bytes. By switching from
CMD17 to CMD13 (see reproducer below), bytes [64-511] are out of the
'status' buffer.
Our implementation return R0 status code for unexpected commands.
Such in-transaction command switch is unexpected and returns R0.
This is a good place to reset the start/offset fields to avoid
malicious accesses.
Can be reproduced running:
$ export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
$ cat << EOF | qemu-system-i386 \
-display none -nographic \
-machine accel=qtest -m 512M \
-nodefaults \
-device sdhci-pci,sd-spec-version=3 \
-device sd-card,drive=mydrive \
-drive if=none,index=0,file=null-co://,format=raw,id=mydrive \
-qtest stdio -trace sd\* -trace -sdbus_read
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001004
outw 0xcfc 0x02
write 0xe000002c 0x1 0x05
write 0xe000000f 0x1 0x37
write 0xe000000a 0x1 0x01
write 0xe000000f 0x1 0x29
write 0xe000000f 0x1 0x02
write 0xe000000f 0x1 0x03
write 0xe000000c 0x1 0x32
write 0xe000000f 0x1 0x06
write 0xe0000005 0x1 0x01
write 0xe0000007 0x1 0x01
write 0xe0000003 0x1 0x00
write 0xe000000f 0x1 0x11
write 0xe000002a 0x1 0x01
write 0xe000002a 0x1 0x02
write 0xe000000f 0x1 0x0d
write 0xe000002a 0x1 0x01
write 0xe000002a 0x1 0x02
EOF
hw/sd/sd.c:1984:15: runtime error: index 256 out of bounds for type 'uint8_t [64]'
#0 sd_read_byte hw/sd/sd.c:1984:15
#1 sdbus_read_data hw/sd/core.c:157:23
#2 sdhci_read_block_from_card hw/sd/sdhci.c:423:9
#3 sdhci_blkgap_write hw/sd/sdhci.c:1074:13
#4 sdhci_write hw/sd/sdhci.c:1195:13
#5 memory_region_write_accessor softmmu/memory.c:492:5
#6 access_with_adjusted_size softmmu/memory.c:554:18
#7 memory_region_dispatch_write softmmu/memory.c
#8 flatview_write_continue softmmu/physmem.c:2778:23
#9 flatview_write softmmu/physmem.c:2818:14
#10 address_space_write softmmu/physmem.c:2910:18
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hw/sd/sd.c:1984:15
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/487
Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36240
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
hw/sd/sd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 807b5d3de3..16d8d52a78 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1826,6 +1826,12 @@ send_response:
break;
case sd_r0:
+ /*
+ * Invalid state transition, reset implementation
+ * fields to avoid OOB abuse.
+ */
+ sd->data_start = 0;
+ sd->data_offset = 0;
case sd_illegal:
rsplen = 0;
break;
--
2.41.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH-for-9.1 2/2] hw/sd/sdcard: Assert @data_offset is in range
2024-04-08 14:17 [PATCH-for-9.0? 0/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() Philippe Mathieu-Daudé
2024-04-08 14:17 ` [RFC PATCH-for-9.0? 1/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch Philippe Mathieu-Daudé
@ 2024-04-08 14:17 ` Philippe Mathieu-Daudé
2024-04-08 14:36 ` Peter Maydell
2024-06-20 13:59 ` [PATCH-for-9.0? 0/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() Philippe Mathieu-Daudé
2 siblings, 1 reply; 5+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-04-08 14:17 UTC (permalink / raw)
To: qemu-devel
Cc: Bin Meng, qemu-arm, Philippe Mathieu-Daudé,
Alexander Bulekov, qemu-block
Prevent out-of-bound access with assertions.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
hw/sd/sd.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 16d8d52a78..c081211582 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1875,6 +1875,7 @@ void sd_write_byte(SDState *sd, uint8_t value)
sd->current_cmd, value);
switch (sd->current_cmd) {
case 24: /* CMD24: WRITE_SINGLE_BLOCK */
+ assert(sd->data_offset < sizeof(sd->data));
sd->data[sd->data_offset ++] = value;
if (sd->data_offset >= sd->blk_len) {
/* TODO: Check CRC before committing */
@@ -1901,6 +1902,7 @@ void sd_write_byte(SDState *sd, uint8_t value)
}
}
}
+ assert(sd->data_offset < sizeof(sd->data));
sd->data[sd->data_offset++] = value;
if (sd->data_offset >= sd->blk_len) {
/* TODO: Check CRC before committing */
@@ -1925,6 +1927,7 @@ void sd_write_byte(SDState *sd, uint8_t value)
break;
case 26: /* CMD26: PROGRAM_CID */
+ assert(sd->data_offset < sizeof(sd->data));
sd->data[sd->data_offset ++] = value;
if (sd->data_offset >= sizeof(sd->cid)) {
/* TODO: Check CRC before committing */
@@ -1944,6 +1947,7 @@ void sd_write_byte(SDState *sd, uint8_t value)
break;
case 27: /* CMD27: PROGRAM_CSD */
+ assert(sd->data_offset < sizeof(sd->data));
sd->data[sd->data_offset ++] = value;
if (sd->data_offset >= sizeof(sd->csd)) {
/* TODO: Check CRC before committing */
@@ -1968,6 +1972,7 @@ void sd_write_byte(SDState *sd, uint8_t value)
break;
case 42: /* CMD42: LOCK_UNLOCK */
+ assert(sd->data_offset < sizeof(sd->data));
sd->data[sd->data_offset ++] = value;
if (sd->data_offset >= sd->blk_len) {
/* TODO: Check CRC before committing */
@@ -1979,6 +1984,7 @@ void sd_write_byte(SDState *sd, uint8_t value)
break;
case 56: /* CMD56: GEN_CMD */
+ assert(sd->data_offset < sizeof(sd->data));
sd->data[sd->data_offset ++] = value;
if (sd->data_offset >= sd->blk_len) {
APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
@@ -2046,6 +2052,7 @@ uint8_t sd_read_byte(SDState *sd)
break;
case 13: /* ACMD13: SD_STATUS */
+ assert(sd->data_offset < sizeof(sd->sd_status));
ret = sd->sd_status[sd->data_offset ++];
if (sd->data_offset >= sizeof(sd->sd_status))
@@ -2055,6 +2062,7 @@ uint8_t sd_read_byte(SDState *sd)
case 17: /* CMD17: READ_SINGLE_BLOCK */
if (sd->data_offset == 0)
BLK_READ_BLOCK(sd->data_start, io_len);
+ assert(sd->data_offset < sizeof(sd->data));
ret = sd->data[sd->data_offset ++];
if (sd->data_offset >= io_len)
@@ -2069,6 +2077,7 @@ uint8_t sd_read_byte(SDState *sd)
}
BLK_READ_BLOCK(sd->data_start, io_len);
}
+ assert(sd->data_offset < sizeof(sd->data));
ret = sd->data[sd->data_offset ++];
if (sd->data_offset >= io_len) {
@@ -2089,10 +2098,12 @@ uint8_t sd_read_byte(SDState *sd)
if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
sd->state = sd_transfer_state;
}
+ assert(sd->data_offset < sizeof(sd_tuning_block_pattern));
ret = sd_tuning_block_pattern[sd->data_offset++];
break;
case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
+ assert(sd->data_offset < sizeof(sd->sd_status));
ret = sd->data[sd->data_offset ++];
if (sd->data_offset >= 4)
@@ -2100,6 +2111,7 @@ uint8_t sd_read_byte(SDState *sd)
break;
case 30: /* CMD30: SEND_WRITE_PROT */
+ assert(sd->data_offset < sizeof(sd->data));
ret = sd->data[sd->data_offset ++];
if (sd->data_offset >= 4)
@@ -2107,6 +2119,7 @@ uint8_t sd_read_byte(SDState *sd)
break;
case 51: /* ACMD51: SEND_SCR */
+ assert(sd->data_offset < sizeof(sd->scr));
ret = sd->scr[sd->data_offset ++];
if (sd->data_offset >= sizeof(sd->scr))
@@ -2116,6 +2129,7 @@ uint8_t sd_read_byte(SDState *sd)
case 56: /* CMD56: GEN_CMD */
if (sd->data_offset == 0)
APP_READ_BLOCK(sd->data_start, sd->blk_len);
+ assert(sd->data_offset < sizeof(sd->data));
ret = sd->data[sd->data_offset ++];
if (sd->data_offset >= sd->blk_len)
--
2.41.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH-for-9.1 2/2] hw/sd/sdcard: Assert @data_offset is in range
2024-04-08 14:17 ` [PATCH-for-9.1 2/2] hw/sd/sdcard: Assert @data_offset is in range Philippe Mathieu-Daudé
@ 2024-04-08 14:36 ` Peter Maydell
0 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2024-04-08 14:36 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: qemu-devel, Bin Meng, qemu-arm, Alexander Bulekov, qemu-block
On Mon, 8 Apr 2024 at 15:18, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> Prevent out-of-bound access with assertions.
>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
> hw/sd/sd.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 16d8d52a78..c081211582 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -1875,6 +1875,7 @@ void sd_write_byte(SDState *sd, uint8_t value)
> sd->current_cmd, value);
> switch (sd->current_cmd) {
> case 24: /* CMD24: WRITE_SINGLE_BLOCK */
> + assert(sd->data_offset < sizeof(sd->data));
> sd->data[sd->data_offset ++] = value;
Abstract out functions
static void append_sd_data_byte(SDState *sd, uint8_t value)
{
assert(sd->data_offset < sizeof(sd->data));
sd->data[sd->data_offset++] = value;
}
static void read_sd_data_byte(SDState *sd, uint8_t value)
{
assert(sd->data_offset < sizeof(sd->sd_data));
return sd->data[sd->data_offset++];
}
(etc for read_sd_status_byte() etc) ?
(sadly I don't think there's a verb that is the equivalent
of "prepend/append" but for removing elements.)
> case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
> + assert(sd->data_offset < sizeof(sd->sd_status));
> ret = sd->data[sd->data_offset ++];
Checking against the size of a different array from
the one we're reading from.
thanks
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH-for-9.0? 0/2] hw/sd/sdcard: Avoid OOB in sd_read_byte()
2024-04-08 14:17 [PATCH-for-9.0? 0/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() Philippe Mathieu-Daudé
2024-04-08 14:17 ` [RFC PATCH-for-9.0? 1/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch Philippe Mathieu-Daudé
2024-04-08 14:17 ` [PATCH-for-9.1 2/2] hw/sd/sdcard: Assert @data_offset is in range Philippe Mathieu-Daudé
@ 2024-06-20 13:59 ` Philippe Mathieu-Daudé
2 siblings, 0 replies; 5+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-06-20 13:59 UTC (permalink / raw)
To: qemu-devel; +Cc: Bin Meng, qemu-arm, Alexander Bulekov, qemu-block
On 8/4/24 16:17, Philippe Mathieu-Daudé wrote:
> Since this is Fix day, I went over this old bug:
> https://gitlab.com/qemu-project/qemu/-/issues/487
> It happens to be a QEMU implementation detail not
> really related to the spec.
>
> Philippe Mathieu-Daudé (2):
> hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch
First patch queued.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-06-20 14:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-08 14:17 [PATCH-for-9.0? 0/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() Philippe Mathieu-Daudé
2024-04-08 14:17 ` [RFC PATCH-for-9.0? 1/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch Philippe Mathieu-Daudé
2024-04-08 14:17 ` [PATCH-for-9.1 2/2] hw/sd/sdcard: Assert @data_offset is in range Philippe Mathieu-Daudé
2024-04-08 14:36 ` Peter Maydell
2024-06-20 13:59 ` [PATCH-for-9.0? 0/2] hw/sd/sdcard: Avoid OOB in sd_read_byte() Philippe Mathieu-Daudé
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).