qemu-e2k/tests/qtest
Philippe Mathieu-Daudé 4ac0b72bae hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30
OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers the assertion added in commit 84816fb63e
("hw/sd/sdcard: Assert if accessing an illegal group"):

  qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t):
  Assertion `wpnum < sd->wpgrps_size' failed.
  #3 0x7f62a8b22c91 in __assert_fail
  #4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9
  #5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38
  #6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17
  #7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c💯16
  #8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12
  #9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9
  #10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5

It is legal for the CMD30 to query for out-of-range addresses.
Such invalid addresses are simply ignored in the response (write
protection bits set to 0).

In commit 84816fb63e ("hw/sd/sdcard: Assert if accessing an illegal
group") we misplaced the assertion *before* we test the address is
in range. Move it *after*.

Include the qtest reproducer provided by Alexander Bulekov:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.

Cc: qemu-stable@nongnu.org
Reported-by: OSS-Fuzz (Issue 29225)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 84816fb63e ("hw/sd/sdcard: Assert if accessing an illegal group")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210802235524.3417739-3-f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
2021-08-03 19:34:51 +02:00
..
fuzz fuzz: Display hexadecimal value with '0x' prefix 2021-06-21 05:50:57 +02:00
libqos 9pfs: add link to 9p developer docs 2021-07-05 13:03:16 +02:00
ac97-test.c
acpi-utils.c
acpi-utils.h
adm1272-test.c tests/qtest: add tests for ADM1272 device model 2021-07-08 14:41:59 -05:00
ahci-test.c tests/qtest/ahci-test.c: Calculate iso_size with 64-bit arithmetic 2021-05-14 12:28:01 +02:00
am53c974-test.c tests/qtest: add tests for am53c974 device 2021-04-12 22:37:11 +01:00
arm-cpu-features.c target/arm: Add cpu properties to control pauth 2021-01-19 14:38:51 +00:00
aspeed_hace-test.c tests/qtest: Add test for Aspeed HACE 2021-05-01 10:03:51 +02:00
aspeed_smc-test.c tests/qtest: Rename m25p80 test in aspeed_smc test 2021-05-01 10:03:52 +02:00
bios-tables-test-allowed-diff.h qtest/acpi/bios-tables-test: update acpi tables 2021-02-23 10:58:42 -05:00
bios-tables-test.c tests/qtest/bios-tables-test: Check for dup2() failure 2021-06-03 16:43:27 +01:00
boot-order-test.c
boot-sector.c tests/qtest/boot-sector: Check that the guest did not panic 2021-02-19 06:29:05 +01:00
boot-sector.h
boot-serial-test.c tests/boot-serial-test: Add STM32VLDISCOVERY board testcase 2021-07-09 16:09:12 +01:00
cdrom-test.c hw/mips: Remove the 'r4k' machine 2020-11-03 16:51:13 +01:00
cmsdk-apb-dualtimer-test.c tests: Add a simple test of the CMSDK APB dual timer 2021-01-29 15:54:42 +00:00
cmsdk-apb-timer-test.c tests: Add a simple test of the CMSDK APB timer 2021-01-29 15:54:42 +00:00
cmsdk-apb-watchdog-test.c tests/qtest/cmsdk-apb-watchdog-test: Test clock changes 2021-01-29 15:54:44 +00:00
cpu-plug-test.c
dbus-vmstate1.xml
dbus-vmstate-test.c
device-introspect-test.c qtest: escape device name in device-introspect-test 2020-11-04 12:00:02 -05:00
device-plug-test.c
display-vga-test.c
drive_del-test.c
ds1338-test.c
e1000-test.c
e1000e-test.c tests/qtest/e1000e-test: Check qemu_recv() succeeded 2021-06-03 16:43:27 +01:00
eepro100-test.c
emc141x-test.c sensor: Move hardware sensors from misc to a sensor directory 2021-06-17 07:10:32 -05:00
endianness-test.c hw/mips: Remove the 'r4k' machine 2020-11-03 16:51:13 +01:00
es1370-test.c
fdc-test.c
fuzz-e1000e-test.c net/eth: Read ip6_ext_hdr_routing buffer before accessing it 2021-03-22 17:34:31 +08:00
fuzz-megasas-test.c tests/qtest: Only run fuzz-megasas-test if megasas device is available 2021-03-16 14:19:54 -04:00
fuzz-sb16-test.c hw/audio/sb16: Restrict I/O sampling rate range for command 41h/42h 2021-06-24 11:42:54 +02:00
fuzz-sdcard-test.c hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30 2021-08-03 19:34:51 +02:00
fuzz-virtio-scsi-test.c tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available 2021-03-16 14:19:54 -04:00
fw_cfg-test.c
hd-geo-test.c tests/qtest/hd-geo-test: Fix checks on mkstemp() return value 2021-06-03 16:43:27 +01:00
hexloader-test.c
i440fx-test.c
i82801b11-test.c
ide-test.c
intel-hda-test.c
ioh3420-test.c
ipmi-bt-test.c tests: Avoid side effects inside g_assert() arguments 2021-05-14 12:28:01 +02:00
ipmi-kcs-test.c tests: Avoid side effects inside g_assert() arguments 2021-05-14 12:28:01 +02:00
ipoctal232-test.c
ivshmem-test.c ivshmem-test: do not use short-form boolean option 2020-11-04 12:00:02 -05:00
libqtest-single.h qtest: Update references to parse_escape() in comments 2020-11-10 08:51:30 +01:00
libqtest.c libqtest: refuse QTEST_QEMU_BINARY=qemu-kvm 2021-05-14 12:28:01 +02:00
lpc-ich9-test.c tests/qtest: cleanup the testcase for bug 1878642 2021-03-19 10:37:46 -04:00
m48t59-test.c
machine-none-test.c Drop the deprecated unicore32 target 2021-05-12 18:20:52 +02:00
max34451-test.c tests/qtest: add tests for MAX34451 device model 2021-07-08 14:42:00 -05:00
megasas-test.c
meson.build hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) 2021-07-12 12:27:38 +02:00
microbit-test.c
migration-helpers.c tests/migration: fix memleak in wait_command/wait_command_fd 2020-10-24 07:23:19 +02:00
migration-helpers.h
migration-test.c tests: Fix migration-test build failure for sparc 2021-07-29 08:07:28 +02:00
modules-test.c
ne2000-test.c
npcm7xx_adc-test.c npcm7xx_adc-test: Fix memleak in adc_qom_set 2021-01-19 15:45:14 +00:00
npcm7xx_emc-test.c net/npcm7xx_emc.c: Fix handling of receiving packets when RSDR not set 2021-03-30 14:05:33 +01:00
npcm7xx_gpio-test.c hw/gpio: Add GPIO model for Nuvoton NPCM7xx 2020-10-27 11:10:32 +00:00
npcm7xx_pwm-test.c tests/qtest/npcm7xx_pwm-test.c: Avoid g_assert_true() for non-test assertions 2021-05-14 12:28:01 +02:00
npcm7xx_rng-test.c tests/qtest/npcm7xx_rng-test: dump random data on failure 2020-12-10 11:30:44 +00:00
npcm7xx_smbus-test.c sensor: Move hardware sensors from misc to a sensor directory 2021-06-17 07:10:32 -05:00
npcm7xx_timer-test.c tests/qtest: variable defined by g_autofree need to be initialized 2020-11-20 13:34:22 +01:00
npcm7xx_watchdog_timer-test.c tests/qtest: fix memleak in npcm7xx_watchdog_timer-test 2020-11-20 13:35:33 +01:00
numa-test.c machine: add smp compound property 2021-07-06 08:33:51 +02:00
nvme-test.c tests/qtest/nvme-test: add mmio read test 2021-07-26 21:09:39 +02:00
pca9552-test.c
pci-test.c
pcnet-test.c
pflash-cfi02-test.c tests/qtest/pflash-cfi02-test: Avoid potential integer overflow 2021-06-03 16:43:27 +01:00
pnv-xscom-test.c
prom-env-test.c
pvpanic-pci-test.c tests/qtest: add a test case for pvpanic-pci 2021-01-29 10:47:28 +00:00
pvpanic-test.c qtest/pvpanic: Test panic option that allows VM to continue 2020-12-15 12:51:59 -05:00
pxe-test.c
q35-test.c
qmp-cmd-test.c tests: Drop 'props' from object-add calls 2021-03-19 10:15:06 +01:00
qmp-test.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
qom-test.c
qos-test.c tests/qtest/qos-test: dump QEMU command if verbose 2021-02-16 17:15:39 +01:00
rtas-test.c spapr: Implement Open Firmware client interface 2021-07-09 10:38:19 +10:00
rtc-test.c tests/qtest/rtc-test: Remove pointless NULL check 2021-05-14 12:28:01 +02:00
rtl8139-test.c
sdhci-test.c
spapr-phb-test.c
sse-timer-test.c tests/qtest/sse-timer-test: Test counter scaling changes 2021-03-08 17:20:03 +00:00
tco-test.c
test-arm-mptimer.c
test-filter-mirror.c
test-filter-redirector.c treewide: do not use short-form boolean options 2020-12-10 12:15:11 -05:00
test-hmp.c migrate: remove QMP/HMP commands for speed, downtime and cache size 2021-03-18 09:22:55 +00:00
test-netfilter.c tests: Drop 'props' from object-add calls 2021-03-19 10:15:06 +01:00
test-x86-cpuid-compat.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
tmp105-test.c sensor: Move hardware sensors from misc to a sensor directory 2021-06-17 07:10:32 -05:00
tpm-crb-swtpm-test.c
tpm-crb-test.c
tpm-emu.c
tpm-emu.h
tpm-tests.c tests/qtest/tpm-tests: Remove unnecessary NULL checks 2021-06-03 16:43:27 +01:00
tpm-tests.h
tpm-tis-device-swtpm-test.c
tpm-tis-device-test.c
tpm-tis-swtpm-test.c
tpm-tis-test.c
tpm-tis-util.c
tpm-tis-util.h
tpm-util.c tests/qtest/tpm-util.c: Free memory with correct free function 2021-05-14 12:28:01 +02:00
tpm-util.h
tulip-test.c
usb-hcd-ehci-test.c
usb-hcd-ohci-test.c
usb-hcd-uhci-test.c
usb-hcd-xhci-test.c
vhost-user-blk-test.c vhost-user-blk-test: test discard/write zeroes invalid inputs 2021-05-18 12:57:38 +02:00
vhost-user-test.c migrate: remove QMP/HMP commands for speed, downtime and cache size 2021-03-18 09:22:55 +00:00
virtio-9p-test.c 9pfs: add link to 9p developer docs 2021-07-05 13:03:16 +02:00
virtio-blk-test.c
virtio-ccw-test.c
virtio-net-test.c
virtio-rng-test.c
virtio-scsi-test.c tests/qtest/virtio-scsi-test: add unmap large LBA with 4k blocks test 2021-06-04 13:47:08 +02:00
virtio-serial-test.c
virtio-test.c
vmgenid-test.c
vmxnet3-test.c
wdt_ib700-test.c
xlnx-can-test.c arm: rename xlnx-zcu102.canbusN properties 2021-01-29 10:47:28 +00:00