qemu-e2k/hw/sd
Philippe Mathieu-Daudé 4ac0b72bae hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30
OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers the assertion added in commit 84816fb63e
("hw/sd/sdcard: Assert if accessing an illegal group"):

  qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t):
  Assertion `wpnum < sd->wpgrps_size' failed.
  #3 0x7f62a8b22c91 in __assert_fail
  #4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9
  #5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38
  #6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17
  #7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c💯16
  #8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12
  #9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9
  #10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5

It is legal for the CMD30 to query for out-of-range addresses.
Such invalid addresses are simply ignored in the response (write
protection bits set to 0).

In commit 84816fb63e ("hw/sd/sdcard: Assert if accessing an illegal
group") we misplaced the assertion *before* we test the address is
in range. Move it *after*.

Include the qtest reproducer provided by Alexander Bulekov:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.

Cc: qemu-stable@nongnu.org
Reported-by: OSS-Fuzz (Issue 29225)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 84816fb63e ("hw/sd/sdcard: Assert if accessing an illegal group")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210802235524.3417739-3-f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
2021-08-03 19:34:51 +02:00
..
allwinner-sdhost.c Use DECLARE_*CHECKER* when possible (--force mode) 2020-09-09 09:27:11 -04:00
aspeed_sdhci.c Fix SPDX-License-Identifier typos 2021-02-20 12:36:19 +01:00
bcm2835_sdhost.c Use DECLARE_*CHECKER* when possible (--force mode) 2020-09-09 09:27:11 -04:00
cadence_sdhci.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
core.c hw/sd: Introduce receive_ready() callback 2021-02-20 00:17:09 +01:00
Kconfig hw/sd: Add Cadence SDHCI emulation 2020-09-09 15:54:18 -07:00
meson.build Drop the deprecated lm32 target 2021-05-12 18:20:25 +02:00
omap_mmc.c hw/sd/omap_mmc: Use device_cold_reset() instead of device_legacy_reset() 2021-05-10 17:21:53 +01:00
pl181.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pxa2xx_mmci.c Use DECLARE_*CHECKER* when possible (--force mode) 2020-09-09 09:27:11 -04:00
sd.c hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30 2021-08-03 19:34:51 +02:00
sdhci-internal.h
sdhci-pci.c
sdhci.c hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed 2021-03-22 16:56:22 +01:00
sdmmc-internal.c
sdmmc-internal.h
ssi-sd.c hw/sd: ssi-sd: Handle the rest commands with R1b response type 2021-02-20 00:17:09 +01:00
trace-events docs: fix references to docs/devel/tracing.rst 2021-06-02 06:51:09 +02:00
trace.h