[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT
From: |
Bin Meng |
Subject: |
Re: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30) |
Date: |
Mon, 5 Jul 2021 15:52:32 +0800 |
On Fri, Jul 2, 2021 at 11:59 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> OSS-Fuzz found sending illegal addresses when querying the write
> protection bits triggers an assertion:
>
> qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t):
> Assertion `wpnum < sd->wpgrps_size' failed.
> ==11578== ERROR: libFuzzer: deadly signal
> #8 0x7ffff628e091 in __assert_fail
> #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9
> #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38
> #11 0x5555588d777c in sd_do_command hw/sd/sd.c
> #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16
> #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12
> #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9
> #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5
>
> Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check
> for multi block reads"), check the address range before sending
> the status of the write protection bits.
>
> Include the qtest reproducer provided by Alexander Bulekov:
>
> $ make check-qtest-i386
> ...
> Running test qtest-i386/fuzz-sdcard-test
> qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum <
> sd->wpgrps_size' failed.
>
> Reported-by: OSS-Fuzz (Issue 29225)
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> hw/sd/sd.c | 5 +++
> tests/qtest/fuzz-sdcard-test.c | 66 ++++++++++++++++++++++++++++++++++
> MAINTAINERS | 3 +-
> tests/qtest/meson.build | 1 +
> 4 files changed, 74 insertions(+), 1 deletion(-)
> create mode 100644 tests/qtest/fuzz-sdcard-test.c
>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
- [PATCH 0/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30), Philippe Mathieu-Daudé, 2021/07/02
- [PATCH 1/3] hw/sd: When card is in wrong state, log which state it is, Philippe Mathieu-Daudé, 2021/07/02
- [PATCH 2/3] hw/sd: Extract address_in_range() helper, log invalid accesses, Philippe Mathieu-Daudé, 2021/07/02
- [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30), Philippe Mathieu-Daudé, 2021/07/02
- Re: [PATCH 0/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30), Philippe Mathieu-Daudé, 2021/07/05