diff options
| author | Philippe Mathieu-Daudé <f4bug@amsat.org> | 2021-08-03 01:55:24 +0200 |
|---|---|---|
| committer | Philippe Mathieu-Daudé <f4bug@amsat.org> | 2021-08-03 19:34:51 +0200 |
| commit | 4ac0b72bae85cf94ae0e5153b9c2c288c71667d4 (patch) | |
| tree | 5e5d66138991d2e475f48c9114bdf3f9e2d8d962 | |
| parent | 2a0396285daa9483459ec1d3791951300b595e85 (diff) | |
| download | qemu-4ac0b72bae85cf94ae0e5153b9c2c288c71667d4.zip qemu-4ac0b72bae85cf94ae0e5153b9c2c288c71667d4.tar.gz qemu-4ac0b72bae85cf94ae0e5153b9c2c288c71667d4.tar.bz2 | |
hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30
OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers the assertion added in commit 84816fb63e5
("hw/sd/sdcard: Assert if accessing an illegal group"):
qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t):
Assertion `wpnum < sd->wpgrps_size' failed.
#3 0x7f62a8b22c91 in __assert_fail
#4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9
#5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38
#6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17
#7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16
#8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12
#9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9
#10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5
It is legal for the CMD30 to query for out-of-range addresses.
Such invalid addresses are simply ignored in the response (write
protection bits set to 0).
In commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal
group") we misplaced the assertion *before* we test the address is
in range. Move it *after*.
Include the qtest reproducer provided by Alexander Bulekov:
$ make check-qtest-i386
...
Running test qtest-i386/fuzz-sdcard-test
qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.
Cc: qemu-stable@nongnu.org
Reported-by: OSS-Fuzz (Issue 29225)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210802235524.3417739-3-f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
| -rw-r--r-- | hw/sd/sd.c | 2 | ||||
| -rw-r--r-- | tests/qtest/fuzz-sdcard-test.c | 36 |
2 files changed, 37 insertions, 1 deletions
@@ -821,7 +821,6 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr) wpnum = sd_addr_to_wpnum(addr); for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { - assert(wpnum < sd->wpgrps_size); if (addr >= sd->size) { /* * If the addresses of the last groups are outside the valid range, @@ -829,6 +828,7 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr) */ continue; } + assert(wpnum < sd->wpgrps_size); if (test_bit(wpnum, sd->wp_groups)) { ret |= (1 << i); } diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c index 96602ea..ae14305 100644 --- a/tests/qtest/fuzz-sdcard-test.c +++ b/tests/qtest/fuzz-sdcard-test.c @@ -52,6 +52,41 @@ static void oss_fuzz_29225(void) qtest_quit(s); } +/* + * https://gitlab.com/qemu-project/qemu/-/issues/495 + * Used to trigger: + * Assertion `wpnum < sd->wpgrps_size' failed. + */ +static void oss_fuzz_36217(void) +{ + QTestState *s; + + s = qtest_init(" -display none -m 32 -nodefaults -nographic" + " -device sdhci-pci,sd-spec-version=3 " + "-device sd-card,drive=d0 " + "-drive if=none,index=0,file=null-co://,format=raw,id=d0"); + + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xe0000000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x02); + qtest_bufwrite(s, 0xe000002c, "\x05", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x37", 0x1); + qtest_bufwrite(s, 0xe000000a, "\x01", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x29", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x02", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x03", 0x1); + qtest_bufwrite(s, 0xe0000005, "\x01", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x06", 0x1); + qtest_bufwrite(s, 0xe000000c, "\x05", 0x1); + qtest_bufwrite(s, 0xe000000e, "\x20", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x08", 0x1); + qtest_bufwrite(s, 0xe000000b, "\x3d", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x1e", 0x1); + + qtest_quit(s); +} + int main(int argc, char **argv) { const char *arch = qtest_get_arch(); @@ -60,6 +95,7 @@ int main(int argc, char **argv) if (strcmp(arch, "i386") == 0) { qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225); + qtest_add_func("fuzz/sdcard/oss_fuzz_36217", oss_fuzz_36217); } return g_test_run(); |