hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30
OSS-Fuzz found sending illegal addresses when querying the write protection bits triggers the assertion added in commitstable-6.084816fb63e
("hw/sd/sdcard: Assert if accessing an illegal group"): qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed. #3 0x7f62a8b22c91 in __assert_fail #4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9 #5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38 #6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17 #7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c💯16 #8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12 #9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9 #10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5 It is legal for the CMD30 to query for out-of-range addresses. Such invalid addresses are simply ignored in the response (write protection bits set to 0). In commit84816fb63e
("hw/sd/sdcard: Assert if accessing an illegal group") we misplaced the assertion *before* we test the address is in range. Move it *after*. Include the qtest reproducer provided by Alexander Bulekov: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed. Cc: qemu-stable@nongnu.org Reported-by: OSS-Fuzz (Issue 29225) Suggested-by: Peter Maydell <peter.maydell@linaro.org> Fixes:84816fb63e
("hw/sd/sdcard: Assert if accessing an illegal group") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210802235524.3417739-3-f4bug@amsat.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Tested-by: Alexander Bulekov <alxndr@bu.edu> (cherry picked from commit4ac0b72bae
) *drop fuzz test additions, since sdcard fuzz test has functional dependency on guest-visible change not flagged for stable:59b63d78
("hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)") Signed-off-by: Michael Roth <michael.roth@amd.com>
parent
21611dd0a5
commit
978c11b013
|
@ -821,7 +821,6 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
|
|||
wpnum = sd_addr_to_wpnum(addr);
|
||||
|
||||
for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
|
||||
assert(wpnum < sd->wpgrps_size);
|
||||
if (addr >= sd->size) {
|
||||
/*
|
||||
* If the addresses of the last groups are outside the valid range,
|
||||
|
@ -829,6 +828,7 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
|
|||
*/
|
||||
continue;
|
||||
}
|
||||
assert(wpnum < sd->wpgrps_size);
|
||||
if (test_bit(wpnum, sd->wp_groups)) {
|
||||
ret |= (1 << i);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue