Re: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT

From:	Bin Meng
Subject:	Re: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)
Date:	Mon, 5 Jul 2021 15:52:32 +0800

On Fri, Jul 2, 2021 at 11:59 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> OSS-Fuzz found sending illegal addresses when querying the write
> protection bits triggers an assertion:
>
>   qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): 
> Assertion `wpnum < sd->wpgrps_size' failed.
>   ==11578== ERROR: libFuzzer: deadly signal
>   #8 0x7ffff628e091 in __assert_fail
>   #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9
>   #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38
>   #11 0x5555588d777c in sd_do_command hw/sd/sd.c
>   #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16
>   #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12
>   #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9
>   #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5
>
> Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check
> for multi block reads"), check the address range before sending
> the status of the write protection bits.
>
> Include the qtest reproducer provided by Alexander Bulekov:
>
>   $ make check-qtest-i386
>   ...
>   Running test qtest-i386/fuzz-sdcard-test
>   qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < 
> sd->wpgrps_size' failed.
>
> Reported-by: OSS-Fuzz (Issue 29225)
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  hw/sd/sd.c                     |  5 +++
>  tests/qtest/fuzz-sdcard-test.c | 66 ++++++++++++++++++++++++++++++++++
>  MAINTAINERS                    |  3 +-
>  tests/qtest/meson.build        |  1 +
>  4 files changed, 74 insertions(+), 1 deletion(-)
>  create mode 100644 tests/qtest/fuzz-sdcard-test.c
>

Reviewed-by: Bin Meng <bmeng.cn@gmail.com>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30), Philippe Mathieu-Daudé, 2021/07/02
- [PATCH 1/3] hw/sd: When card is in wrong state, log which state it is, Philippe Mathieu-Daudé, 2021/07/02
  - Re: [PATCH 1/3] hw/sd: When card is in wrong state, log which state it is, Alexander Bulekov, 2021/07/02
- [PATCH 2/3] hw/sd: Extract address_in_range() helper, log invalid accesses, Philippe Mathieu-Daudé, 2021/07/02
- [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30), Philippe Mathieu-Daudé, 2021/07/02
  - Re: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30), Alexander Bulekov, 2021/07/02
  - Re: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30), Bin Meng <=
- Re: [PATCH 0/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30), Philippe Mathieu-Daudé, 2021/07/05

Prev by Date: Re: [PATCH v3] dp8393x: don't force 32-bit register access
Next by Date: Re: [PATCH v4 0/4] avocado-qemu: New SMMUv3 and intel IOMMU tests
Previous by thread: Re: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)
Next by thread: Re: [PATCH 0/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)
Index(es):
- Date
- Thread