[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 2a0396: hw/sd/sdcard: Document out-of-range a
From: |
Peter Maydell |
Subject: |
[Qemu-commits] [qemu/qemu] 2a0396: hw/sd/sdcard: Document out-of-range addresses for ... |
Date: |
Wed, 04 Aug 2021 05:53:34 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 2a0396285daa9483459ec1d3791951300b595e85
https://github.com/qemu/qemu/commit/2a0396285daa9483459ec1d3791951300b595e85
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2021-08-03 (Tue, 03 Aug 2021)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT
Per the 'Physical Layer Simplified Specification Version 3.01',
Table 4-22: 'Block Oriented Write Protection Commands'
SEND_WRITE_PROT (CMD30)
If the card provides write protection features, this command asks
the card to send the status of the write protection bits [1].
[1] 32 write protection bits (representing 32 write protect groups
starting at the specified address) [...]
The last (least significant) bit of the protection bits corresponds
to the first addressed group. If the addresses of the last groups
are outside the valid range, then the corresponding write protection
bits shall be set to 0.
Split the if() statement (without changing the behaviour of the code)
to better position the description comment.
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210802235524.3417739-2-f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Commit: 4ac0b72bae85cf94ae0e5153b9c2c288c71667d4
https://github.com/qemu/qemu/commit/4ac0b72bae85cf94ae0e5153b9c2c288c71667d4
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2021-08-03 (Tue, 03 Aug 2021)
Changed paths:
M hw/sd/sd.c
M tests/qtest/fuzz-sdcard-test.c
Log Message:
-----------
hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30
OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers the assertion added in commit 84816fb63e5
("hw/sd/sdcard: Assert if accessing an illegal group"):
qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t
sd_wpbits(SDState *, uint64_t):
Assertion `wpnum < sd->wpgrps_size' failed.
#3 0x7f62a8b22c91 in __assert_fail
#4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9
#5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38
#6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17
#7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16
#8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12
#9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9
#10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5
It is legal for the CMD30 to query for out-of-range addresses.
Such invalid addresses are simply ignored in the response (write
protection bits set to 0).
In commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal
group") we misplaced the assertion *before* we test the address is
in range. Move it *after*.
Include the qtest reproducer provided by Alexander Bulekov:
$ make check-qtest-i386
...
Running test qtest-i386/fuzz-sdcard-test
qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum <
sd->wpgrps_size' failed.
Cc: qemu-stable@nongnu.org
Reported-by: OSS-Fuzz (Issue 29225)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210802235524.3417739-3-f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Commit: 700d82c9bc6c1c53d5f501fc2d099d28da0cef7a
https://github.com/qemu/qemu/commit/700d82c9bc6c1c53d5f501fc2d099d28da0cef7a
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2021-08-04 (Wed, 04 Aug 2021)
Changed paths:
M hw/sd/sd.c
M tests/qtest/fuzz-sdcard-test.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210803' into staging
SD/MMC patches queue
- sdcard: Fix assertion accessing out-of-range addresses
with SEND_WRITE_PROT (CMD30)
# gpg: Signature made Tue 03 Aug 2021 18:38:03 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>"
[full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* remotes/philmd/tags/sdmmc-20210803:
hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30
hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/ef6607edf005...700d82c9bc6c