Re: [PATCH v5 08/15] hw/sd/sdcard: Check address is in range

qemu-block

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v5 08/15] hw/sd/sdcard: Check address is in range

From:	Philippe Mathieu-Daudé
Subject:	Re: [PATCH v5 08/15] hw/sd/sdcard: Check address is in range
Date:	Fri, 26 Jun 2020 19:43:17 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0

On 6/26/20 6:40 PM, Philippe Mathieu-Daudé wrote:
> As a defense, assert if the requested address is out of the card area.
> 
> Suggested-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  hw/sd/sd.c | 18 ++++++++++--------
>  1 file changed, 10 insertions(+), 8 deletions(-)
> 
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 22392e5084..2689a27b49 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -537,8 +537,10 @@ static void sd_response_r7_make(SDState *sd, uint8_t 
> *response)
>      stl_be_p(response, sd->vhs);
>  }
>  
> -static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
> +static uint64_t sd_addr_to_wpnum(SDState *sd, uint64_t addr)
>  {
> +    assert(addr < sd->size);

This should be:

       assert(addr <= sd->size);

> +
>      return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
>  }
>  
> @@ -575,7 +577,7 @@ static void sd_reset(DeviceState *dev)
>      sd_set_cardstatus(sd);
>      sd_set_sdstatus(sd);
>  
> -    sect = sd_addr_to_wpnum(size) + 1;
> +    sect = sd_addr_to_wpnum(sd, size) + 1;
>      g_free(sd->wp_groups);
>      sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
>      sd->wpgrps_size = sect;
> @@ -759,8 +761,8 @@ static void sd_erase(SDState *sd)
>          erase_end *= HWBLOCK_SIZE;
>      }
>  
> -    erase_start = sd_addr_to_wpnum(erase_start);
> -    erase_end = sd_addr_to_wpnum(erase_end);
> +    erase_start = sd_addr_to_wpnum(sd, erase_start);
> +    erase_end = sd_addr_to_wpnum(sd, erase_end);
>      sd->erase_start = 0;
>      sd->erase_end = 0;
>      sd->csd[14] |= 0x40;
> @@ -777,7 +779,7 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
>      uint32_t i, wpnum;
>      uint32_t ret = 0;
>  
> -    wpnum = sd_addr_to_wpnum(addr);
> +    wpnum = sd_addr_to_wpnum(sd, addr);
>  
>      for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
>          if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
> @@ -819,7 +821,7 @@ static void sd_function_switch(SDState *sd, uint32_t arg)
>  
>  static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
>  {
> -    return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
> +    return test_bit(sd_addr_to_wpnum(sd, addr), sd->wp_groups);
>  }
>  
>  static void sd_lock_command(SDState *sd)
> @@ -1331,7 +1333,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, 
> SDRequest req)
>              }
>  
>              sd->state = sd_programming_state;
> -            set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
> +            set_bit(sd_addr_to_wpnum(sd, addr), sd->wp_groups);
>              /* Bzzzzzzztt .... Operation complete.  */
>              sd->state = sd_transfer_state;
>              return sd_r1b;
> @@ -1350,7 +1352,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, 
> SDRequest req)
>              }
>  
>              sd->state = sd_programming_state;
> -            clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
> +            clear_bit(sd_addr_to_wpnum(sd, addr), sd->wp_groups);
>              /* Bzzzzzzztt .... Operation complete.  */
>              sd->state = sd_transfer_state;
>              return sd_r1b;
>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v5 05/15] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid, (continued)
- [PATCH v5 05/15] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 04/15] hw/sd/sdcard: Use the HWBLOCK_SIZE definition, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 02/15] hw/sd/sdcard: Update coding style to make checkpatch.pl happy, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 10/15] hw/sd/sdcard: Simplify cmd_valid_while_locked(), Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 06/15] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 14/15] hw/sd/sdcard: Display offset in read/write_data() trace events, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 01/15] MAINTAINERS: Cc qemu-block mailing list, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 03/15] hw/sd/sdcard: Move some definitions to use them earlier, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 07/15] hw/sd/sdcard: Initialize constant values first, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 08/15] hw/sd/sdcard: Check address is in range, Philippe Mathieu-Daudé, 2020/06/26
  - Re: [PATCH v5 08/15] hw/sd/sdcard: Check address is in range, Philippe Mathieu-Daudé <=
    - Re: [PATCH v5 08/15] hw/sd/sdcard: Check address is in range, Philippe Mathieu-Daudé, 2020/06/30
- [PATCH v5 09/15] hw/sd/sdcard: Update the SDState documentation, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 12/15] hw/sd/sdcard: Make iolen unsigned, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 11/15] hw/sd/sdcard: Constify sd_crc*()'s message argument, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 13/15] hw/sd/sdcard: Correctly display the command name in trace events, Philippe Mathieu-Daudé, 2020/06/26
- [PATCH v5 15/15] hw/sd/sdcard: Simplify realize() a bit, Philippe Mathieu-Daudé, 2020/06/26
- Re: [PATCH v5 00/15] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups, no-reply, 2020/06/26

Prev by Date: Re: [PATCH 07/46] error: Avoid more error_propagate() when error is not used here
Next by Date: [PATCH v3 01/30] iotests: Fix 051 output after qdev_init_nofail() removal
Previous by thread: [PATCH v5 08/15] hw/sd/sdcard: Check address is in range
Next by thread: Re: [PATCH v5 08/15] hw/sd/sdcard: Check address is in range
Index(es):
- Date
- Thread