OpenE2K
/
qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity
qemu-e2k/hw/sd
History
Philippe Mathieu-Daudé 59b63d78be hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) 
OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers an assertion:

  qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed.
  ==11578== ERROR: libFuzzer: deadly signal
  #8 0x7ffff628e091 in __assert_fail
  #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9
  #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38
  #11 0x5555588d777c in sd_do_command hw/sd/sd.c
  #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c💯16
  #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12
  #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9
  #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5

Similarly to commit 8573378e62 ("hw/sd: fix out-of-bounds check
for multi block reads"), check the address range before sending
the status of the write protection bits.

Include the qtest reproducer provided by Alexander Bulekov:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.

Reported-by: OSS-Fuzz (Issue 29225)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210702155900.148665-4-f4bug@amsat.org>
 		2021-07-12 12:27:38 +02:00
..
Kconfig hw/sd: Add Cadence SDHCI emulation 2020-09-09 15:54:18 -07:00
allwinner-sdhost.c Use DECLARE_*CHECKER* when possible (--force mode) 2020-09-09 09:27:11 -04:00
aspeed_sdhci.c Fix SPDX-License-Identifier typos 2021-02-20 12:36:19 +01:00
bcm2835_sdhost.c Use DECLARE_*CHECKER* when possible (--force mode) 2020-09-09 09:27:11 -04:00
cadence_sdhci.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
core.c hw/sd: Introduce receive_ready() callback 2021-02-20 00:17:09 +01:00
meson.build Drop the deprecated lm32 target 2021-05-12 18:20:25 +02:00
omap_mmc.c hw/sd/omap_mmc: Use device_cold_reset() instead of device_legacy_reset() 2021-05-10 17:21:53 +01:00
pl181.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pxa2xx_mmci.c Use DECLARE_*CHECKER* when possible (--force mode) 2020-09-09 09:27:11 -04:00
sd.c hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) 2021-07-12 12:27:38 +02:00
sdhci-internal.h sd: sdhci: Implement basic vendor specific register support 2020-06-16 10:32:29 +01:00
sdhci-pci.c sd: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
sdhci.c hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed 2021-03-22 16:56:22 +01:00
sdmmc-internal.c sdcard: Display command name when tracing CMD/ACMD 2018-03-09 17:09:44 +00:00
sdmmc-internal.h Clean up header guards that don't match their file name 2019-05-13 08:58:55 +02:00
ssi-sd.c hw/sd: ssi-sd: Handle the rest commands with R1b response type 2021-02-20 00:17:09 +01:00
trace-events docs: fix references to docs/devel/tracing.rst 2021-06-02 06:51:09 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00