[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequen
|
From: |
Mauro Matteo Cascella |
|
Subject: |
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential() |
|
Date: |
Wed, 9 Nov 2022 11:10:21 +0100 |
On Wed, Nov 9, 2022 at 10:45 AM Siqi Chen <coc.cyqh@gmail.com> wrote:
>
> Hi,
>
> >This reproducer does not crash my QEMU. Am I missing anything?
> I submitted the reproducer. Because the overflow is only one byte, it may not
> be detected by the host's heap allocator. Do you compile your qemu with
> sanitizer? This is my build configuration: "./configure
> --target-list=x86_64-softmmu --enable-sanitizers"
Right, you need to recompile QEMU with ASAN support. This is an
excerpt of the stack trace:
=================================================================
==39159==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x615000022880 at pc 0x55b023db5fe1 bp 0x7fffeeef1650 sp
0x7fffeeef1648
WRITE of size 1 at 0x615000022880 thread T0
#0 0x55b023db5fe0 in sdhci_write_dataport ../../hw/sd/sdhci.c:562
#1 0x55b023dc1cc7 in sdhci_write ../../hw/sd/sdhci.c:1216
#2 0x55b024521e01 in memory_region_write_accessor ../../softmmu/memory.c:492
#3 0x55b0245222ab in access_with_adjusted_size ../../softmmu/memory.c:554
#4 0x55b02452ff15 in memory_region_dispatch_write
../../softmmu/memory.c:1514
#5 0x55b024568c67 in flatview_write_continue ../../softmmu/physmem.c:2814
#6 0x55b02456908d in flatview_write ../../softmmu/physmem.c:2856
#7 0x55b024569a74 in address_space_write ../../softmmu/physmem.c:2952
#8 0x55b02457a63c in qtest_process_command ../../softmmu/qtest.c:538
#9 0x55b02457ef97 in qtest_process_inbuf ../../softmmu/qtest.c:796
#10 0x55b02457f089 in qtest_read ../../softmmu/qtest.c:808
#11 0x55b0249d4372 in qemu_chr_be_write_impl ../../chardev/char.c:201
#12 0x55b0249d4414 in qemu_chr_be_write ../../chardev/char.c:213
#13 0x55b0249db586 in fd_chr_read ../../chardev/char-fd.c:72
#14 0x55b02466ba5b in qio_channel_fd_source_dispatch
../../io/channel-watch.c:84
#15 0x7f88093af0ae in g_main_context_dispatch
(/lib64/libglib-2.0.so.0+0x550ae)
#16 0x55b024c5ff14 in glib_pollfds_poll ../../util/main-loop.c:297
#17 0x55b024c600fa in os_host_main_loop_wait ../../util/main-loop.c:320
#18 0x55b024c603f3 in main_loop_wait ../../util/main-loop.c:596
#19 0x55b023fcca21 in qemu_main_loop ../../softmmu/runstate.c:726
#20 0x55b023679735 in qemu_main ../../softmmu/main.c:36
#21 0x55b023679766 in main ../../softmmu/main.c:45
#22 0x7f8808728f5f in __libc_start_call_main (/lib64/libc.so.6+0x40f5f)
#23 0x7f880872900f in __libc_start_main_impl (/lib64/libc.so.6+0x4100f)
#24 0x55b023679644 in _start (./qemu-system-x86_64+0x20f2644)
> Thanks,
> Siqi Chen.
>
>
>
> Bin Meng <bmeng.cn@gmail.com> 于2022年11月9日周三 17:30写道:
>>
>> Hi,
>>
>> On Mon, Nov 7, 2022 at 7:08 PM Mauro Matteo Cascella
>> <mcascell@redhat.com> wrote:
>> >
>> > On Mon, Nov 7, 2022 at 11:35 AM Mauro Matteo Cascella
>> > <mcascell@redhat.com> wrote:
>> > >
>> > > Make sure to reset data_count if it's equal to (or exceeds) block_size.
>> > > This prevents an off-by-one read / write when accessing s->fifo_buffer
>> > > in sdhci_read_dataport / sdhci_write_dataport, both called right after
>> > > sdhci_buff_access_is_sequential.
>> > >
>> > > Fixes: CVE-2022-3872
>> > > Reported-by: RivenDell <XRivenDell@outlook.com>
>> > > Reported-by: Siqi Chen <coc.cyqh@gmail.com>
>> > > Reported-by: ningqiang <ningqiang1@huawei.com>
>> > > Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
>> > > ---
>> > > hw/sd/sdhci.c | 4 ++++
>> > > 1 file changed, 4 insertions(+)
>> > >
>> > > diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
>> > > index 306070c872..aa2fd79df2 100644
>> > > --- a/hw/sd/sdhci.c
>> > > +++ b/hw/sd/sdhci.c
>> > > @@ -978,6 +978,10 @@ static bool sdhci_can_issue_command(SDHCIState *s)
>> > > static inline bool
>> > > sdhci_buff_access_is_sequential(SDHCIState *s, unsigned byte_num)
>> > > {
>> > > + if (s->data_count >= (s->blksize & BLOCK_SIZE_MASK)) {
>> > > + s->data_count = 0;
>> > > + }
>> > > +
>> > > if ((s->data_count & 0x3) != byte_num) {
>> > > trace_sdhci_error("Non-sequential access to Buffer Data Port
>> > > register"
>> > > "is prohibited\n");
>> > > --
>> > > 2.38.1
>> > >
>> >
>> > Reproducer:
>> >
>> > cat << EOF | ./qemu-system-x86_64 -machine accel=qtest \
>> > -nodefaults -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \
>> > -device sdhci-pci -device sd-card,drive=mydrive -nographic -qtest stdio
>> > outl 0xcf8 0x80001004
>> > outl 0xcfc 0x107
>> > outl 0xcf8 0x80001010
>> > outl 0xcfc 0xfebf1000
>> > writel 0xfebf102c 0x7
>> > writel 0xfebf1004 0x10200
>> > writel 0xfebf100c 0x200000
>> > writel 0xfebf1028 0x10000
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1020 0xdeadbeef
>> > writel 0xfebf1004 0x200
>> > writel 0xfebf100c 0x20
>> > writel 0xfebf1028 0x20000
>> > writel 0x00100000 0xfebf1021
>> > writel 0xfebf1058 0x00100000
>> > writel 0xfebf1028 0x8
>> > writel 0xfebf100c 0x200011
>> > writel 0xfebf1020 0xaabbccdd
>> > EOF
>> >
>>
>> This reproducer does not crash my QEMU. Am I missing anything?
>>
>> Regards,
>> Bin
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential(), Philippe Mathieu-Daudé, 2022/11/07