[PULL 0/1] ufs queue

[PULL 0/1] ufs queue

[Jeuk Kim]

From: Jeuk Kim <jeuk20.kim@samsung.com>

The following changes since commit 3665dd6bb9043bef181c91e2dce9e1efff47ed51:

  Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2024-06-28 16:09:38 -0700)

are available in the Git repository at:

  https://gitlab.com/jeuk20.kim/qemu.git tags/pull-ufs-20240630

for you to fetch changes up to e12b11f6f29272ee31ccde6b0db1a10139e87083:

  hw/ufs: Fix potential bugs in MMIO read|write (2024-06-30 12:44:32 +0900)

----------------------------------------------------------------
hw/ufs: fix coverity issue

----------------------------------------------------------------
Minwoo Im (1):
      hw/ufs: Fix potential bugs in MMIO read|write

 hw/ufs/ufs.c | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

[PULL 1/1] hw/ufs: Fix potential bugs in MMIO read|write

[Jeuk Kim]

From: Minwoo Im <minwoo.im.dev@gmail.com>

This patch fixes two points reported in coverity scan report [1].  Check
the MMIO access address with (addr + size), not just with the start offset
addr to make sure that the requested memory access not to exceed the
actual register region.  We also updated (uint8_t *) to (uint32_t *) to
represent we are accessing the MMIO registers by dword-sized only.

[1] https://lore.kernel.org/qemu-devel/CAFEAcA82L-WZnHMW0X+Dr40bHM-EVq2ZH4DG4pdqop4xxDP2Og@mail.gmail.com/

Cc: Jeuk Kim <jeuk20.kim@gmail.com>
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Minwoo Im <minwoo.im.dev@gmail.com>
Reviewed-by: Jeuk Kim <jeuk20.kim@samsung.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20240623024555.78697-1-minwoo.im.dev@gmail.com>
Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
---
 hw/ufs/ufs.c | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
index 71a88d221c..683fff5840 100644
--- a/hw/ufs/ufs.c
+++ b/hw/ufs/ufs.c
@@ -55,17 +55,18 @@ static inline uint64_t ufs_reg_size(UfsHc *u)
     return ufs_mcq_op_reg_addr(u, 0) + sizeof(u->mcq_op_reg);
 }
 
-static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr)
+static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr, unsigned size)
 {
     uint64_t mcq_reg_addr = ufs_mcq_reg_addr(u, 0);
-    return addr >= mcq_reg_addr && addr < mcq_reg_addr + sizeof(u->mcq_reg);
+    return (addr >= mcq_reg_addr &&
+            addr + size <= mcq_reg_addr + sizeof(u->mcq_reg));
 }
 
-static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr)
+static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr, unsigned size)
 {
     uint64_t mcq_op_reg_addr = ufs_mcq_op_reg_addr(u, 0);
     return (addr >= mcq_op_reg_addr &&
-            addr < mcq_op_reg_addr + sizeof(u->mcq_op_reg));
+            addr + size <= mcq_op_reg_addr + sizeof(u->mcq_op_reg));
 }
 
 static MemTxResult ufs_addr_read(UfsHc *u, hwaddr addr, void *buf, int size)
@@ -774,25 +775,25 @@ static void ufs_write_mcq_op_reg(UfsHc *u, hwaddr offset, uint32_t data,
 static uint64_t ufs_mmio_read(void *opaque, hwaddr addr, unsigned size)
 {
     UfsHc *u = (UfsHc *)opaque;
-    uint8_t *ptr;
+    uint32_t *ptr;
     uint64_t value;
     uint64_t offset;
 
-    if (addr < sizeof(u->reg)) {
+    if (addr + size <= sizeof(u->reg)) {
         offset = addr;
-        ptr = (uint8_t *)&u->reg;
-    } else if (ufs_is_mcq_reg(u, addr)) {
+        ptr = (uint32_t *)&u->reg;
+    } else if (ufs_is_mcq_reg(u, addr, size)) {
         offset = addr - ufs_mcq_reg_addr(u, 0);
-        ptr = (uint8_t *)&u->mcq_reg;
-    } else if (ufs_is_mcq_op_reg(u, addr)) {
+        ptr = (uint32_t *)&u->mcq_reg;
+    } else if (ufs_is_mcq_op_reg(u, addr, size)) {
         offset = addr - ufs_mcq_op_reg_addr(u, 0);
-        ptr = (uint8_t *)&u->mcq_op_reg;
+        ptr = (uint32_t *)&u->mcq_op_reg;
     } else {
         trace_ufs_err_invalid_register_offset(addr);
         return 0;
     }
 
-    value = *(uint32_t *)(ptr + offset);
+    value = ptr[offset >> 2];
     trace_ufs_mmio_read(addr, value, size);
     return value;
 }
@@ -804,11 +805,11 @@ static void ufs_mmio_write(void *opaque, hwaddr addr, uint64_t data,
 
     trace_ufs_mmio_write(addr, data, size);
 
-    if (addr < sizeof(u->reg)) {
+    if (addr + size <= sizeof(u->reg)) {
         ufs_write_reg(u, addr, data, size);
-    } else if (ufs_is_mcq_reg(u, addr)) {
+    } else if (ufs_is_mcq_reg(u, addr, size)) {
         ufs_write_mcq_reg(u, addr - ufs_mcq_reg_addr(u, 0), data, size);
-    } else if (ufs_is_mcq_op_reg(u, addr)) {
+    } else if (ufs_is_mcq_op_reg(u, addr, size)) {
         ufs_write_mcq_op_reg(u, addr - ufs_mcq_op_reg_addr(u, 0), data, size);
     } else {
         trace_ufs_err_invalid_register_offset(addr);
-- 
2.34.1

Re: [PULL 0/1] ufs queue

[Richard Henderson]

On 6/29/24 20:52, Jeuk Kim wrote:
> From: Jeuk Kim<jeuk20.kim@samsung.com>
> 
> The following changes since commit 3665dd6bb9043bef181c91e2dce9e1efff47ed51:
> 
>    Merge tag 'for-upstream' ofhttps://gitlab.com/bonzini/qemu  into staging (2024-06-28 16:09:38 -0700)
> 
> are available in the Git repository at:
> 
>    https://gitlab.com/jeuk20.kim/qemu.git  tags/pull-ufs-20240630
> 
> for you to fetch changes up to e12b11f6f29272ee31ccde6b0db1a10139e87083:
> 
>    hw/ufs: Fix potential bugs in MMIO read|write (2024-06-30 12:44:32 +0900)
> 
> ----------------------------------------------------------------
> hw/ufs: fix coverity issue

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.


r~

[PULL 0/1] ufs queue

[Jeuk Kim]

From: Jeuk Kim <jeuk20.kim@samsung.com>

The following changes since commit b9ee1387e0cf0fba5a73a610d31cb9cead457dc0:

  Merge tag 'sdmmc-20240706' of https://github.com/philmd/qemu into staging (2024-07-07 10:34:52 -0700)

are available in the Git repository at:

  https://gitlab.com/jeuk20.kim/qemu.git tags/pull-ufs-20240708

for you to fetch changes up to 6db492596dd9204e8fe341b2396472271cf15023:

  hw/ufs: Fix mcq register range determination logic (2024-07-08 10:25:20 +0900)

----------------------------------------------------------------
hw/ufs:
- Fix invalid address access in ufs_is_mcq_reg()

----------------------------------------------------------------
Jeuk Kim (1):
      hw/ufs: Fix mcq register range determination logic

 hw/ufs/ufs.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Re: [PULL 0/1] ufs queue

[Jeuk Kim]

I'm so sorry. I forgot to add something to the patch, I'll add it and 
resend it to you.
Sorry again.


On 7/8/2024 10:31 AM, Jeuk Kim wrote:
> From: Jeuk Kim <jeuk20.kim@samsung.com>
>
> The following changes since commit b9ee1387e0cf0fba5a73a610d31cb9cead457dc0:
>
>    Merge tag 'sdmmc-20240706' of https://github.com/philmd/qemu into staging (2024-07-07 10:34:52 -0700)
>
> are available in the Git repository at:
>
>    https://gitlab.com/jeuk20.kim/qemu.git tags/pull-ufs-20240708
>
> for you to fetch changes up to 6db492596dd9204e8fe341b2396472271cf15023:
>
>    hw/ufs: Fix mcq register range determination logic (2024-07-08 10:25:20 +0900)
>
> ----------------------------------------------------------------
> hw/ufs:
> - Fix invalid address access in ufs_is_mcq_reg()
>
> ----------------------------------------------------------------
> Jeuk Kim (1):
>        hw/ufs: Fix mcq register range determination logic
>
>   hw/ufs/ufs.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)

[PULL 0/1] ufs queue

[Jeuk Kim]

From: Jeuk Kim <jeuk20.kim@samsung.com>

The following changes since commit fd87be1dada5672f877e03c2ca8504458292c479:

  Merge tag 'accel-20240426' of https://github.com/philmd/qemu into staging (2024-04-26 15:28:13 -0700)

are available in the Git repository at:

  https://gitlab.com/jeuk20.kim/qemu.git tags/pull-ufs-20240429

for you to fetch changes up to f2c8aeb1afefcda92054c448b21fc59cdd99db30:

  hw/ufs: Fix buffer overflow bug (2024-04-29 12:13:35 +0900)

----------------------------------------------------------------
ufs queue

- Fix ufs sanitizer vulnerability

----------------------------------------------------------------
Jeuk Kim (1):
      hw/ufs: Fix buffer overflow bug

 hw/ufs/ufs.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Re: [PULL 0/1] ufs queue

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 1241 bytes --]

On Mon, Apr 29, 2024 at 12:25:37PM +0900, Jeuk Kim wrote:
> From: Jeuk Kim <jeuk20.kim@samsung.com>
> 
> The following changes since commit fd87be1dada5672f877e03c2ca8504458292c479:
> 
>   Merge tag 'accel-20240426' of https://github.com/philmd/qemu into staging (2024-04-26 15:28:13 -0700)
> 
> are available in the Git repository at:
> 
>   https://gitlab.com/jeuk20.kim/qemu.git tags/pull-ufs-20240429
> 
> for you to fetch changes up to f2c8aeb1afefcda92054c448b21fc59cdd99db30:
> 
>   hw/ufs: Fix buffer overflow bug (2024-04-29 12:13:35 +0900)
> 
> ----------------------------------------------------------------
> ufs queue
> 
> - Fix ufs sanitizer vulnerability
> 
> ----------------------------------------------------------------
> Jeuk Kim (1):
>       hw/ufs: Fix buffer overflow bug
> 
>  hw/ufs/ufs.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 

Thanks, applied to my block tree:
https://gitlab.com/stefanha/qemu/commits/block

It will be included in my next block pull request.

You are welcome to send pull requests directly to the qemu.git/master
maintainer (Richard Henderson is on duty for this release cycle). If you
do that, make sure to GPG sign your pull request.

Stefan

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PULL 0/1] ufs queue

[Richard Henderson]

On 4/29/24 06:41, Stefan Hajnoczi wrote:
> On Mon, Apr 29, 2024 at 12:25:37PM +0900, Jeuk Kim wrote:
>> From: Jeuk Kim <jeuk20.kim@samsung.com>
>>
>> The following changes since commit fd87be1dada5672f877e03c2ca8504458292c479:
>>
>>    Merge tag 'accel-20240426' of https://github.com/philmd/qemu into staging (2024-04-26 15:28:13 -0700)
>>
>> are available in the Git repository at:
>>
>>    https://gitlab.com/jeuk20.kim/qemu.git tags/pull-ufs-20240429
>>
>> for you to fetch changes up to f2c8aeb1afefcda92054c448b21fc59cdd99db30:
>>
>>    hw/ufs: Fix buffer overflow bug (2024-04-29 12:13:35 +0900)
>>
>> ----------------------------------------------------------------
>> ufs queue
>>
>> - Fix ufs sanitizer vulnerability
>>
>> ----------------------------------------------------------------
>> Jeuk Kim (1):
>>        hw/ufs: Fix buffer overflow bug
>>
>>   hw/ufs/ufs.c | 8 ++++++++
>>   1 file changed, 8 insertions(+)
>>
> 
> Thanks, applied to my block tree:
> https://gitlab.com/stefanha/qemu/commits/block
> 
> It will be included in my next block pull request.
> 
> You are welcome to send pull requests directly to the qemu.git/master
> maintainer (Richard Henderson is on duty for this release cycle). If you
> do that, make sure to GPG sign your pull request.

He did. I have

     Merge tag 'pull-ufs-20240429' of https://gitlab.com/jeuk20.kim/qemu into staging

     ufs queue

     # -----BEGIN PGP SIGNATURE-----
     #
     # iQIzBAABCgAdFiEEUBfYMVl8eKPZB+73EuIgTA5dtgIFAmYvEScACgkQEuIgTA5d
     # tgL3Qg//R3IcISQqqDaJ/ySzKGmkyohJSc6ySLYvla4Aki7PV+um2Dx/XNS7uG2b
     # d3Qz4m6QaOKsocLfldRTn2FxVK238Rp5HNny5vc0kGRdwpR514B7aU0FhpT7qObS
     # wbbgRdDddIBIiCFLhtXtg5/TK2h32VxGrVI6llX4gmd2VzqM0e4xeG1Oj8rZseOY
     # SAgvDv68s1YwlO1p1vPvst/H+mUKYkqtPN1mjfCIn5tM6ss8kCLUnKjqGAg1BnSN
     # xwaGrqqOlzQK2+aV02eiItiow8evU/h+c9eiTnBo/EvBwjoBn6flNXABWXFENnmP
     # JjVIFeiNzSFhBPDzO23GXviuEt96j5lrcGYR48HYMZfEbJNpblXzWvEGMZWnXNgx
     # Q3cpcarZ4vSWIflR9OnCSQaGLA0Ny6YqLbmrM/oD+v67EITafKKc+flmiF7DBASB
     # fUoEsdffdA37LDtygJb7hfUhvPQWWAujmGzZ1cDP8Oa0MhT7aiD0Z/WqhhjVQbM0
     # iLiCDDD0cc0pmT3vw3EnEjKjnSkY3H62Q7pnYHiQgij4Ls/Rdd/P7OkSd0aI82t0
     # TooWGZJnyf8rjAzY2cEB1Twrhmhuyt9NnGxip9W8JsQBZMLabD2CahOm83zsk7jZ
     # 3fOONz6XrW2ttFkLZcRd4x4YjKONjEXsSX2ZrXTZ5t3USz/VNvY=
     # =Vwyi
     # -----END PGP SIGNATURE-----
     # gpg: Signature made Sun 28 Apr 2024 08:16:55 PM PDT
     # gpg:                using RSA key 5017D831597C78A3D907EEF712E2204C0E5DB602
     # gpg: Good signature from "Jeuk Kim <jeuk20.kim@samsung.com>" [unknown]
     # gpg:                 aka "Jeuk Kim <jeuk20.kim@gmail.com>" [unknown]
     # gpg: WARNING: This key is not certified with a trusted signature!
     # gpg:          There is no indication that the signature belongs to the owner.
     # Primary key fingerprint: 5017 D831 597C 78A3 D907  EEF7 12E2 204C 0E5D B602

queued for the next merge.


r~

Re: [PULL 0/1] ufs queue

[Richard Henderson]

On 4/28/24 20:25, Jeuk Kim wrote:
> From: Jeuk Kim<jeuk20.kim@samsung.com>
> 
> The following changes since commit fd87be1dada5672f877e03c2ca8504458292c479:
> 
>    Merge tag 'accel-20240426' ofhttps://github.com/philmd/qemu  into staging (2024-04-26 15:28:13 -0700)
> 
> are available in the Git repository at:
> 
>    https://gitlab.com/jeuk20.kim/qemu.git  tags/pull-ufs-20240429
> 
> for you to fetch changes up to f2c8aeb1afefcda92054c448b21fc59cdd99db30:
> 
>    hw/ufs: Fix buffer overflow bug (2024-04-29 12:13:35 +0900)
> 
> ----------------------------------------------------------------
> ufs queue
> 
> - Fix ufs sanitizer vulnerability

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.


r~

[PULL 0/1] ufs queue

[Jeuk Kim]

From: Jeuk Kim <jeuk20.kim@samsung.com>

The following changes since commit c60be6e3e38cb36dc66129e757ec4b34152232be:

  Merge tag 'pull-sp-20231025' of https://gitlab.com/rth7680/qemu into staging (2023-10-27 09:43:53 +0900)

are available in the Git repository at:

  https://gitlab.com/jeuk20.kim/qemu.git tags/pull-ufs-20231030

for you to fetch changes up to 096434fea13acd19f4ead00cdf9babea8dc7e61e:

  hw/ufs: Modify lu.c to share codes with SCSI subsystem (2023-10-30 10:28:04 +0900)

----------------------------------------------------------------
ufs queue:

* Modify lu.c to share codes with SCSI

----------------------------------------------------------------
Jeuk Kim (1):
      hw/ufs: Modify lu.c to share codes with SCSI subsystem

 hw/ufs/lu.c            | 1473 ++++++++----------------------------------------
 hw/ufs/trace-events    |   25 -
 hw/ufs/ufs.c           |  202 +------
 hw/ufs/ufs.h           |   36 +-
 include/block/ufs.h    |    2 +-
 tests/qtest/ufs-test.c |   37 +-
 6 files changed, 315 insertions(+), 1460 deletions(-)

Re: [PULL 0/1] ufs queue

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 115 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.2 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]