From: Mauro Matteo Cascella <mcascell@redhat.com>
To: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
Cc: qemu-block@nongnu.org, Bin Meng <bin.meng@windriver.com>,
Li Qiang <liq3ea@163.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Prasad J Pandit <ppandit@redhat.com>,
Alexander Bulekov <alxndr@bu.edu>, Bandan Das <bsd@redhat.com>,
Alistair Francis <alistair.francis@wdc.com>,
Bin Meng <bmeng.cn@gmail.com>
Subject: Re: [PATCH] hw/sd/sdhci: Do not modify BlockSizeRegister if transaction in progress
Date: Mon, 8 Feb 2021 20:58:49 +0100 [thread overview]
Message-ID: <CAA8xKjUPrQkqdJR46Pa4U2ymBDL=KZHvVC9-CzQOR3OqOp8hPg@mail.gmail.com> (raw)
In-Reply-To: <20210208193450.2689517-1-f4bug@amsat.org>
On Mon, Feb 8, 2021 at 8:35 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> Per the "SD Host Controller Simplified Specification Version 2.00"
> spec. 'Table 2-4 : Block Size Register':
>
> Transfer Block Size [...] can be accessed only if no
> transaction is executing (i.e., after a transaction has stopped).
> Read operations during transfers may return an invalid value,
> and write operations shall be ignored.
>
> Transactions will update 'data_count', so do not modify 'blksize'
> and 'blkcnt' when 'data_count' is used. This fixes:
>
> $ cat << EOF | qemu-system-x86_64 -qtest stdio -monitor none \
> -nographic -serial none -M pc-q35-5.0 \
> -device sdhci-pci,sd-spec-version=3 \
> -device sd-card,drive=mydrive \
> -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive
> outl 0xcf8 0x80001810
> outl 0xcfc 0xe1068000
> outl 0xcf8 0x80001814
> outl 0xcf8 0x80001804
> outw 0xcfc 0x7
> outl 0xcf8 0x8000fa20
> write 0xe106802c 0x1 0x0f
> write 0xe1068004 0xc 0x2801d10101fffffbff28a384
> write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
> write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
> write 0xe1068003 0x1 0xfe
> EOF
> =================================================================
> ==2686219==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500003bb00 at pc 0x55ab469f456c bp 0x7ffee71be330 sp 0x7ffee71bdae0
> WRITE of size 4 at 0x61500003bb00 thread T0
> #0 0x55ab469f456b in __asan_memcpy (qemu-system-i386+0x1cea56b)
> #1 0x55ab483dc396 in stl_he_p include/qemu/bswap.h:353:5
> #2 0x55ab483af5e4 in stn_he_p include/qemu/bswap.h:546:1
> #3 0x55ab483aeb4b in flatview_read_continue softmmu/physmem.c:2839:13
> #4 0x55ab483b0705 in flatview_read softmmu/physmem.c:2877:12
> #5 0x55ab483b028e in address_space_read_full softmmu/physmem.c:2890:18
> #6 0x55ab483b1294 in address_space_rw softmmu/physmem.c:2918:16
> #7 0x55ab479374a2 in dma_memory_rw_relaxed include/sysemu/dma.h:88:12
> #8 0x55ab47936f50 in dma_memory_rw include/sysemu/dma.h:127:12
> #9 0x55ab4793665f in dma_memory_read include/sysemu/dma.h:145:12
> #10 0x55ab4792f176 in sdhci_sdma_transfer_multi_blocks hw/sd/sdhci.c:639:13
> #11 0x55ab4793dc9d in sdhci_write hw/sd/sdhci.c:1129:17
> #12 0x55ab483f8db8 in memory_region_write_accessor softmmu/memory.c:491:5
> #13 0x55ab483f868a in access_with_adjusted_size softmmu/memory.c:552:18
> #14 0x55ab483f6da5 in memory_region_dispatch_write softmmu/memory.c:1501:16
> #15 0x55ab483c3b11 in flatview_write_continue softmmu/physmem.c:2774:23
> #16 0x55ab483b0eb6 in flatview_write softmmu/physmem.c:2814:14
> #17 0x55ab483b0a3e in address_space_write softmmu/physmem.c:2906:18
> #18 0x55ab48465c56 in qtest_process_command softmmu/qtest.c:654:9
>
> 0x61500003bb00 is located 0 bytes to the right of 512-byte region [0x61500003b900,0x61500003bb00)
> allocated by thread T0 here:
> #0 0x55ab469f58a7 in calloc (qemu-system-i386+0x1ceb8a7)
> #1 0x7f21d678f9b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
> #2 0x55ab479530ed in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5
> #3 0x55ab476f102a in pci_qdev_realize hw/pci/pci.c:2108:9
> #4 0x55ab48baaad2 in device_set_realized hw/core/qdev.c:761:13
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1cea56b) in __asan_memcpy
> Shadow bytes around the buggy address:
> 0x0c2a7ffff710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c2a7ffff720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c2a7ffff730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c2a7ffff740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c2a7ffff750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c2a7ffff760:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c2a7ffff770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c2a7ffff780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c2a7ffff790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c2a7ffff7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c2a7ffff7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Heap left redzone: fa
> Freed heap region: fd
> ==2686219==ABORTING
>
> Fixes: CVE-2020-17380
> Fixes: CVE-2020-25085
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
> Cc: Alexander Bulekov <alxndr@bu.edu>
> Cc: Alistair Francis <alistair.francis@wdc.com>
> Cc: Prasad J Pandit <ppandit@redhat.com>
> Cc: Bandan Das <bsd@redhat.com>
>
> RFC because missing Reported-by tags, launchpad/bugzilla links and
> qtest reproducer. Sending for review meanwhile.
> ---
> hw/sd/sdhci.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
> index 8ffa53999d8..7ac7d9af9e4 100644
> --- a/hw/sd/sdhci.c
> +++ b/hw/sd/sdhci.c
> @@ -1133,6 +1133,12 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
> }
> break;
> case SDHC_BLKSIZE:
> + if (s->data_count) {
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "%s: Can not update blksize when"
> + " transaction is executing\n", __func__);
> + break;
> + }
> if (!TRANSFERRING_DATA(s->prnsts)) {
> MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
> MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
> --
> 2.26.2
>
For the above CVEs:
Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
Thanks a lot,
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
next prev parent reply other threads:[~2021-02-09 0:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-08 19:34 [PATCH] hw/sd/sdhci: Do not modify BlockSizeRegister if transaction in progress Philippe Mathieu-Daudé
2021-02-08 19:58 ` Mauro Matteo Cascella [this message]
2021-02-08 20:25 ` Philippe Mathieu-Daudé
2021-02-09 8:37 ` Mauro Matteo Cascella
2021-02-09 8:28 ` Bin Meng
2021-02-09 9:38 ` Philippe Mathieu-Daudé
2021-02-09 9:42 ` Bin Meng
2021-02-09 9:45 ` Bin Meng
2021-02-09 14:34 ` Alexander Bulekov
2021-02-11 17:04 ` Alexander Bulekov
2021-02-11 19:45 ` Philippe Mathieu-Daudé
2021-02-11 20:20 ` Alexander Bulekov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAA8xKjUPrQkqdJR46Pa4U2ymBDL=KZHvVC9-CzQOR3OqOp8hPg@mail.gmail.com' \
--to=mcascell@redhat.com \
--cc=alistair.francis@wdc.com \
--cc=alxndr@bu.edu \
--cc=bin.meng@windriver.com \
--cc=bmeng.cn@gmail.com \
--cc=bsd@redhat.com \
--cc=f4bug@amsat.org \
--cc=liq3ea@163.com \
--cc=ppandit@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).