All of lore.kernel.org
 help / color / mirror / Atom feed
* [Bug 1892960] [NEW] Heap-overflow in flatview_read through sdhci_data_transfer
@ 2020-08-26  1:25 Alexander Bulekov
  2020-09-01 12:01 ` [Bug 1892960] " P J P
                   ` (2 more replies)
  0 siblings, 3 replies; 21+ messages in thread
From: Alexander Bulekov @ 2020-08-26  1:25 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -nodefaults \
-device sdhci-pci,sd-spec-version=3 \
-device sd-card,drive=mydrive \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-nographic -qtest stdio -accel qtest 
outl 0xcf8 0x80001010
outl 0xcfc 0xd7055dba
outl 0xcf8 0x80001003
outl 0xcfc 0x86b1d733
writeq 0xd7055d2b 0x84126e0ed7d7355e
writeq 0xd7055d23 0x13bd7d7346e0129
writeq 0xd7055d05 0x615bfb845e05c42c
write 0x0 0x1 0x39
write 0x5 0x1 0x06
write 0x6 0x1 0x35
write 0x7 0x1 0x01
write 0x1350600 0x1 0x39
writew 0xd7055d0e 0x846e
write 0x1350600 0x1 0x29
write 0x1350602 0x1 0x1a
write 0x1350608 0x1 0x39
clock_step
writeq 0xd7055d03 0x6d00000026000000
clock_step
EOF

The trace:

[R +0.077745] outl 0xcf8 0x80001010
OK
[S +0.077773] OK
[R +0.077792] outl 0xcfc 0xd7055dba
OK
[S +0.077813] OK
[R +0.077826] outl 0xcf8 0x80001003
OK
[S +0.077835] OK
[R +0.077846] outl 0xcfc 0x86b1d733
OK
[S +0.080186] OK
[R +0.080204] writeq 0xd7055d2b 0x84126e0ed7d7355e
752161@1598405049.572123:sdhci_access wr8: addr[0x002b] <- 0x0000005e (94)
752161@1598405049.572133:sdhci_access wr32: addr[0x002c] <- 0x0ed7d735 (249026357)
752161@1598405049.572142:sdhci_access wr16: addr[0x0030] <- 0x0000126e (4718)
752161@1598405049.572150:sdhci_access wr8: addr[0x0032] <- 0x00000084 (132)
OK
[S +0.080255] OK
[R +0.080267] writeq 0xd7055d23 0x13bd7d7346e0129
752161@1598405049.572176:sdhci_error Non-sequential access to Buffer Data Port registeris prohibited

752161@1598405049.572181:sdhci_access wr8: addr[0x0023] <- 0x00000029 (41)
752161@1598405049.572187:sdhci_access wr32: addr[0x0024] <- 0xd7346e01 (3610537473)
752161@1598405049.572193:sdhci_access wr16: addr[0x0028] <- 0x00003bd7 (15319)
752161@1598405049.572200:sdhci_access wr8: addr[0x002a] <- 0x00000001 (1)
OK
[S +0.080303] OK
[R +0.080316] writeq 0xd7055d05 0x615bfb845e05c42c
752161@1598405049.572226:sdhci_access wr8: addr[0x0005] <- 0x0000002c (44)
752161@1598405049.572233:sdhci_access wr16: addr[0x0006] <- 0x000005c4 (1476)
752161@1598405049.572240:sdhci_access wr32: addr[0x0008] <- 0x5bfb845e (1543210078)
752161@1598405049.572247:sdhci_access wr8: addr[0x000c] <- 0x00000061 (97)
OK
[S +0.080350] OK
[R +0.080362] write 0x0 0x1 0x39
OK
[S +0.080606] OK
[R +0.080617] write 0x5 0x1 0x06
OK
[S +0.080629] OK
[R +0.080639] write 0x6 0x1 0x35
OK
[S +0.080648] OK
[R +0.080657] write 0x7 0x1 0x01
OK
[S +0.080665] OK
[R +0.080675] write 0x1350600 0x1 0x39
OK
[S +0.080863] OK
[R +0.080875] writew 0xd7055d0e 0x846e
752161@1598405049.572786:sdhci_send_command CMD132 ARG[0x5bfb845e]
752161@1598405049.572810:sdhci_error timeout waiting for command response
752161@1598405049.572822:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
752161@1598405049.572827:sdhci_adma link: admasysaddr=0x1350600
752161@1598405049.572833:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
752161@1598405049.572837:sdhci_adma link: admasysaddr=0x0
752161@1598405049.572842:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
752161@1598405049.572845:sdhci_adma link: admasysaddr=0x1350600
752161@1598405049.572851:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
752161@1598405049.572854:sdhci_adma link: admasysaddr=0x0
752161@1598405049.572859:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
752161@1598405049.572862:sdhci_adma link: admasysaddr=0x1350600
752161@1598405049.572875:sdhci_access wr16: addr[0x000e] <- 0x0000846e (33902)
OK
[S +0.080979] OK
[R +0.080991] write 0x1350600 0x1 0x29
OK
[S +0.081001] OK
[R +0.081011] write 0x1350602 0x1 0x1a
OK
[S +0.081019] OK
[R +0.081029] write 0x1350608 0x1 0x39
OK
[S +0.081037] OK
[R +0.081045] clock_step
752161@1598405049.572962:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
752161@1598405049.572972:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
752161@1598405049.572977:sdhci_adma link: admasysaddr=0x0
752161@1598405049.572981:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
752161@1598405049.572985:sdhci_adma link: admasysaddr=0x1350600
752161@1598405049.572989:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
752161@1598405049.572997:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
752161@1598405049.573001:sdhci_adma link: admasysaddr=0x0
OK 100
[S +0.081112] OK 100
[R +0.081126] writeq 0xd7055d03 0x6d00000026000000
752161@1598405049.573038:sdhci_access wr8: addr[0x0003] <- 0x00000000 (0)
752161@1598405049.573045:sdhci_access wr32: addr[0x0004] <- 0x00260000 (2490368)
752161@1598405049.573051:sdhci_access wr16: addr[0x0008] <- 0x00000000 (0)
752161@1598405049.573057:sdhci_access wr8: addr[0x000a] <- 0x0000006d (109)
OK
[S +0.081162] OK
[R +0.081171] clock_step
752161@1598405049.573085:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
752161@1598405049.573090:sdhci_adma link: admasysaddr=0x1350600
752161@1598405049.573096:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
=================================================================
==752161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500001e500 at pc 0x5651bce1a940 bp 0x7fff16a81f50 sp 0x7fff16a81718
WRITE of size 786432 at 0x61500001e500 thread T0
    #0 0x5651bce1a93f in __asan_memcpy (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f)
    #1 0x5651bf4197ce in flatview_read_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3246:13
    #2 0x5651bf41bff3 in flatview_read /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3279:12
    #3 0x5651bf41bb48 in address_space_read_full /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3292:18
    #4 0x5651bf41cce8 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3320:16
    #5 0x5651bd623b67 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18
    #6 0x5651bd623585 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12
    #7 0x5651bd6227b7 in dma_memory_read /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:116:12
    #8 0x5651bd61b052 in sdhci_do_adma /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:792:21
    #9 0x5651bd60d3c4 in sdhci_data_transfer /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:887:13
    #10 0x5651c0c4d917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9
    #11 0x5651c0c4de51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12
    #12 0x5651bf562a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9
    #13 0x5651bf74f5d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9
    #14 0x5651bf73d63e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
    #15 0x5651bf73c3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
    #16 0x5651c0842762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
    #17 0x5651c08428aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
    #18 0x5651c0868514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
    #19 0x5651c0754736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
    #20 0x7fac88fad4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
    #21 0x5651c0cdfc67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
    #22 0x5651c0cdd567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
    #23 0x5651c0cdcf47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
    #24 0x5651bf4bb08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
    #25 0x5651bce4d51c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
    #26 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
    #27 0x5651bcda2cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

0x61500001e500 is located 0 bytes to the right of 512-byte region [0x61500001e300,0x61500001e500)
allocated by thread T0 here:
    #0 0x5651bce1b5b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
    #1 0x7fac88fb3210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
    #2 0x5651bd8cd222 in sdhci_pci_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci-pci.c:36:5
    #3 0x5651bd88c228 in pci_qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/pci/pci.c:2114:9
    #4 0x5651c07a4ec9 in device_set_realized /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:864:13
    #5 0x5651bfe384b8 in property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:2202:5
    #6 0x5651bfe2c1cf in object_property_set /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1349:5
    #7 0x5651bfe49471 in object_property_set_qobject /home/alxndr/Development/qemu/general-fuzz/build/../qom/qom-qobject.c:28:10
    #8 0x5651bfe2d890 in object_property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1416:15
    #9 0x5651c078cc64 in qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:379:12
    #10 0x5651bd8bd8cc in qdev_device_add /home/alxndr/Development/qemu/general-fuzz/build/../qdev-monitor.c:676:10
    #11 0x5651bf4e3e43 in device_init_func /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:2101:11
    #12 0x5651c0af71e4 in qemu_opts_foreach /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-option.c:1172:14
    #13 0x5651bf4cd04b in qemu_init /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:4384:5
    #14 0x5651bce4d517 in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:49:5
    #15 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c2a7fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffbc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fffbca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffbcd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffbce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==752161==ABORTING

-Alex

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892960

Title:
  Heap-overflow in flatview_read through sdhci_data_transfer

Status in QEMU:
  New

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./qemu-system-i386 -nodefaults \
  -device sdhci-pci,sd-spec-version=3 \
  -device sd-card,drive=mydrive \
  -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
  -nographic -qtest stdio -accel qtest 
  outl 0xcf8 0x80001010
  outl 0xcfc 0xd7055dba
  outl 0xcf8 0x80001003
  outl 0xcfc 0x86b1d733
  writeq 0xd7055d2b 0x84126e0ed7d7355e
  writeq 0xd7055d23 0x13bd7d7346e0129
  writeq 0xd7055d05 0x615bfb845e05c42c
  write 0x0 0x1 0x39
  write 0x5 0x1 0x06
  write 0x6 0x1 0x35
  write 0x7 0x1 0x01
  write 0x1350600 0x1 0x39
  writew 0xd7055d0e 0x846e
  write 0x1350600 0x1 0x29
  write 0x1350602 0x1 0x1a
  write 0x1350608 0x1 0x39
  clock_step
  writeq 0xd7055d03 0x6d00000026000000
  clock_step
  EOF

  The trace:

  [R +0.077745] outl 0xcf8 0x80001010
  OK
  [S +0.077773] OK
  [R +0.077792] outl 0xcfc 0xd7055dba
  OK
  [S +0.077813] OK
  [R +0.077826] outl 0xcf8 0x80001003
  OK
  [S +0.077835] OK
  [R +0.077846] outl 0xcfc 0x86b1d733
  OK
  [S +0.080186] OK
  [R +0.080204] writeq 0xd7055d2b 0x84126e0ed7d7355e
  752161@1598405049.572123:sdhci_access wr8: addr[0x002b] <- 0x0000005e (94)
  752161@1598405049.572133:sdhci_access wr32: addr[0x002c] <- 0x0ed7d735 (249026357)
  752161@1598405049.572142:sdhci_access wr16: addr[0x0030] <- 0x0000126e (4718)
  752161@1598405049.572150:sdhci_access wr8: addr[0x0032] <- 0x00000084 (132)
  OK
  [S +0.080255] OK
  [R +0.080267] writeq 0xd7055d23 0x13bd7d7346e0129
  752161@1598405049.572176:sdhci_error Non-sequential access to Buffer Data Port registeris prohibited

  752161@1598405049.572181:sdhci_access wr8: addr[0x0023] <- 0x00000029 (41)
  752161@1598405049.572187:sdhci_access wr32: addr[0x0024] <- 0xd7346e01 (3610537473)
  752161@1598405049.572193:sdhci_access wr16: addr[0x0028] <- 0x00003bd7 (15319)
  752161@1598405049.572200:sdhci_access wr8: addr[0x002a] <- 0x00000001 (1)
  OK
  [S +0.080303] OK
  [R +0.080316] writeq 0xd7055d05 0x615bfb845e05c42c
  752161@1598405049.572226:sdhci_access wr8: addr[0x0005] <- 0x0000002c (44)
  752161@1598405049.572233:sdhci_access wr16: addr[0x0006] <- 0x000005c4 (1476)
  752161@1598405049.572240:sdhci_access wr32: addr[0x0008] <- 0x5bfb845e (1543210078)
  752161@1598405049.572247:sdhci_access wr8: addr[0x000c] <- 0x00000061 (97)
  OK
  [S +0.080350] OK
  [R +0.080362] write 0x0 0x1 0x39
  OK
  [S +0.080606] OK
  [R +0.080617] write 0x5 0x1 0x06
  OK
  [S +0.080629] OK
  [R +0.080639] write 0x6 0x1 0x35
  OK
  [S +0.080648] OK
  [R +0.080657] write 0x7 0x1 0x01
  OK
  [S +0.080665] OK
  [R +0.080675] write 0x1350600 0x1 0x39
  OK
  [S +0.080863] OK
  [R +0.080875] writew 0xd7055d0e 0x846e
  752161@1598405049.572786:sdhci_send_command CMD132 ARG[0x5bfb845e]
  752161@1598405049.572810:sdhci_error timeout waiting for command response
  752161@1598405049.572822:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572827:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572833:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572837:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572842:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572845:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572851:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572854:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572859:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572862:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572875:sdhci_access wr16: addr[0x000e] <- 0x0000846e (33902)
  OK
  [S +0.080979] OK
  [R +0.080991] write 0x1350600 0x1 0x29
  OK
  [S +0.081001] OK
  [R +0.081011] write 0x1350602 0x1 0x1a
  OK
  [S +0.081019] OK
  [R +0.081029] write 0x1350608 0x1 0x39
  OK
  [S +0.081037] OK
  [R +0.081045] clock_step
  752161@1598405049.572962:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572972:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572977:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572981:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572985:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572989:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572997:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.573001:sdhci_adma link: admasysaddr=0x0
  OK 100
  [S +0.081112] OK 100
  [R +0.081126] writeq 0xd7055d03 0x6d00000026000000
  752161@1598405049.573038:sdhci_access wr8: addr[0x0003] <- 0x00000000 (0)
  752161@1598405049.573045:sdhci_access wr32: addr[0x0004] <- 0x00260000 (2490368)
  752161@1598405049.573051:sdhci_access wr16: addr[0x0008] <- 0x00000000 (0)
  752161@1598405049.573057:sdhci_access wr8: addr[0x000a] <- 0x0000006d (109)
  OK
  [S +0.081162] OK
  [R +0.081171] clock_step
  752161@1598405049.573085:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.573090:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.573096:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  =================================================================
  ==752161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500001e500 at pc 0x5651bce1a940 bp 0x7fff16a81f50 sp 0x7fff16a81718
  WRITE of size 786432 at 0x61500001e500 thread T0
      #0 0x5651bce1a93f in __asan_memcpy (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f)
      #1 0x5651bf4197ce in flatview_read_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3246:13
      #2 0x5651bf41bff3 in flatview_read /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3279:12
      #3 0x5651bf41bb48 in address_space_read_full /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3292:18
      #4 0x5651bf41cce8 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3320:16
      #5 0x5651bd623b67 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18
      #6 0x5651bd623585 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12
      #7 0x5651bd6227b7 in dma_memory_read /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:116:12
      #8 0x5651bd61b052 in sdhci_do_adma /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:792:21
      #9 0x5651bd60d3c4 in sdhci_data_transfer /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:887:13
      #10 0x5651c0c4d917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9
      #11 0x5651c0c4de51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12
      #12 0x5651bf562a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9
      #13 0x5651bf74f5d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9
      #14 0x5651bf73d63e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
      #15 0x5651bf73c3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
      #16 0x5651c0842762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
      #17 0x5651c08428aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
      #18 0x5651c0868514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
      #19 0x5651c0754736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
      #20 0x7fac88fad4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
      #21 0x5651c0cdfc67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
      #22 0x5651c0cdd567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
      #23 0x5651c0cdcf47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
      #24 0x5651bf4bb08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
      #25 0x5651bce4d51c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
      #26 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #27 0x5651bcda2cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

  0x61500001e500 is located 0 bytes to the right of 512-byte region [0x61500001e300,0x61500001e500)
  allocated by thread T0 here:
      #0 0x5651bce1b5b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
      #1 0x7fac88fb3210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
      #2 0x5651bd8cd222 in sdhci_pci_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci-pci.c:36:5
      #3 0x5651bd88c228 in pci_qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/pci/pci.c:2114:9
      #4 0x5651c07a4ec9 in device_set_realized /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:864:13
      #5 0x5651bfe384b8 in property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:2202:5
      #6 0x5651bfe2c1cf in object_property_set /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1349:5
      #7 0x5651bfe49471 in object_property_set_qobject /home/alxndr/Development/qemu/general-fuzz/build/../qom/qom-qobject.c:28:10
      #8 0x5651bfe2d890 in object_property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1416:15
      #9 0x5651c078cc64 in qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:379:12
      #10 0x5651bd8bd8cc in qdev_device_add /home/alxndr/Development/qemu/general-fuzz/build/../qdev-monitor.c:676:10
      #11 0x5651bf4e3e43 in device_init_func /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:2101:11
      #12 0x5651c0af71e4 in qemu_opts_foreach /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-option.c:1172:14
      #13 0x5651bf4cd04b in qemu_init /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:4384:5
      #14 0x5651bce4d517 in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:49:5
      #15 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f) in __asan_memcpy
  Shadow bytes around the buggy address:
    0x0c2a7fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffbca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==752161==ABORTING

  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892960/+subscriptions


^ permalink raw reply	[flat|nested] 21+ messages in thread

* [Bug 1892960] Re: Heap-overflow in flatview_read through sdhci_data_transfer
  2020-08-26  1:25 [Bug 1892960] [NEW] Heap-overflow in flatview_read through sdhci_data_transfer Alexander Bulekov
@ 2020-09-01 12:01 ` P J P
  2020-10-22 14:00 ` Philippe Mathieu-Daudé
  2020-12-10  9:04 ` Thomas Huth
  2 siblings, 0 replies; 21+ messages in thread
From: P J P @ 2020-09-01 12:01 UTC (permalink / raw)
  To: qemu-devel

Proposed patch
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg07968.html

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892960

Title:
  Heap-overflow in flatview_read through sdhci_data_transfer

Status in QEMU:
  New

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./qemu-system-i386 -nodefaults \
  -device sdhci-pci,sd-spec-version=3 \
  -device sd-card,drive=mydrive \
  -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
  -nographic -qtest stdio -accel qtest 
  outl 0xcf8 0x80001010
  outl 0xcfc 0xd7055dba
  outl 0xcf8 0x80001003
  outl 0xcfc 0x86b1d733
  writeq 0xd7055d2b 0x84126e0ed7d7355e
  writeq 0xd7055d23 0x13bd7d7346e0129
  writeq 0xd7055d05 0x615bfb845e05c42c
  write 0x0 0x1 0x39
  write 0x5 0x1 0x06
  write 0x6 0x1 0x35
  write 0x7 0x1 0x01
  write 0x1350600 0x1 0x39
  writew 0xd7055d0e 0x846e
  write 0x1350600 0x1 0x29
  write 0x1350602 0x1 0x1a
  write 0x1350608 0x1 0x39
  clock_step
  writeq 0xd7055d03 0x6d00000026000000
  clock_step
  EOF

  The trace:

  [R +0.077745] outl 0xcf8 0x80001010
  OK
  [S +0.077773] OK
  [R +0.077792] outl 0xcfc 0xd7055dba
  OK
  [S +0.077813] OK
  [R +0.077826] outl 0xcf8 0x80001003
  OK
  [S +0.077835] OK
  [R +0.077846] outl 0xcfc 0x86b1d733
  OK
  [S +0.080186] OK
  [R +0.080204] writeq 0xd7055d2b 0x84126e0ed7d7355e
  752161@1598405049.572123:sdhci_access wr8: addr[0x002b] <- 0x0000005e (94)
  752161@1598405049.572133:sdhci_access wr32: addr[0x002c] <- 0x0ed7d735 (249026357)
  752161@1598405049.572142:sdhci_access wr16: addr[0x0030] <- 0x0000126e (4718)
  752161@1598405049.572150:sdhci_access wr8: addr[0x0032] <- 0x00000084 (132)
  OK
  [S +0.080255] OK
  [R +0.080267] writeq 0xd7055d23 0x13bd7d7346e0129
  752161@1598405049.572176:sdhci_error Non-sequential access to Buffer Data Port registeris prohibited

  752161@1598405049.572181:sdhci_access wr8: addr[0x0023] <- 0x00000029 (41)
  752161@1598405049.572187:sdhci_access wr32: addr[0x0024] <- 0xd7346e01 (3610537473)
  752161@1598405049.572193:sdhci_access wr16: addr[0x0028] <- 0x00003bd7 (15319)
  752161@1598405049.572200:sdhci_access wr8: addr[0x002a] <- 0x00000001 (1)
  OK
  [S +0.080303] OK
  [R +0.080316] writeq 0xd7055d05 0x615bfb845e05c42c
  752161@1598405049.572226:sdhci_access wr8: addr[0x0005] <- 0x0000002c (44)
  752161@1598405049.572233:sdhci_access wr16: addr[0x0006] <- 0x000005c4 (1476)
  752161@1598405049.572240:sdhci_access wr32: addr[0x0008] <- 0x5bfb845e (1543210078)
  752161@1598405049.572247:sdhci_access wr8: addr[0x000c] <- 0x00000061 (97)
  OK
  [S +0.080350] OK
  [R +0.080362] write 0x0 0x1 0x39
  OK
  [S +0.080606] OK
  [R +0.080617] write 0x5 0x1 0x06
  OK
  [S +0.080629] OK
  [R +0.080639] write 0x6 0x1 0x35
  OK
  [S +0.080648] OK
  [R +0.080657] write 0x7 0x1 0x01
  OK
  [S +0.080665] OK
  [R +0.080675] write 0x1350600 0x1 0x39
  OK
  [S +0.080863] OK
  [R +0.080875] writew 0xd7055d0e 0x846e
  752161@1598405049.572786:sdhci_send_command CMD132 ARG[0x5bfb845e]
  752161@1598405049.572810:sdhci_error timeout waiting for command response
  752161@1598405049.572822:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572827:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572833:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572837:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572842:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572845:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572851:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572854:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572859:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572862:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572875:sdhci_access wr16: addr[0x000e] <- 0x0000846e (33902)
  OK
  [S +0.080979] OK
  [R +0.080991] write 0x1350600 0x1 0x29
  OK
  [S +0.081001] OK
  [R +0.081011] write 0x1350602 0x1 0x1a
  OK
  [S +0.081019] OK
  [R +0.081029] write 0x1350608 0x1 0x39
  OK
  [S +0.081037] OK
  [R +0.081045] clock_step
  752161@1598405049.572962:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572972:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572977:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572981:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572985:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572989:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572997:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.573001:sdhci_adma link: admasysaddr=0x0
  OK 100
  [S +0.081112] OK 100
  [R +0.081126] writeq 0xd7055d03 0x6d00000026000000
  752161@1598405049.573038:sdhci_access wr8: addr[0x0003] <- 0x00000000 (0)
  752161@1598405049.573045:sdhci_access wr32: addr[0x0004] <- 0x00260000 (2490368)
  752161@1598405049.573051:sdhci_access wr16: addr[0x0008] <- 0x00000000 (0)
  752161@1598405049.573057:sdhci_access wr8: addr[0x000a] <- 0x0000006d (109)
  OK
  [S +0.081162] OK
  [R +0.081171] clock_step
  752161@1598405049.573085:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.573090:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.573096:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  =================================================================
  ==752161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500001e500 at pc 0x5651bce1a940 bp 0x7fff16a81f50 sp 0x7fff16a81718
  WRITE of size 786432 at 0x61500001e500 thread T0
      #0 0x5651bce1a93f in __asan_memcpy (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f)
      #1 0x5651bf4197ce in flatview_read_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3246:13
      #2 0x5651bf41bff3 in flatview_read /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3279:12
      #3 0x5651bf41bb48 in address_space_read_full /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3292:18
      #4 0x5651bf41cce8 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3320:16
      #5 0x5651bd623b67 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18
      #6 0x5651bd623585 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12
      #7 0x5651bd6227b7 in dma_memory_read /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:116:12
      #8 0x5651bd61b052 in sdhci_do_adma /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:792:21
      #9 0x5651bd60d3c4 in sdhci_data_transfer /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:887:13
      #10 0x5651c0c4d917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9
      #11 0x5651c0c4de51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12
      #12 0x5651bf562a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9
      #13 0x5651bf74f5d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9
      #14 0x5651bf73d63e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
      #15 0x5651bf73c3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
      #16 0x5651c0842762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
      #17 0x5651c08428aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
      #18 0x5651c0868514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
      #19 0x5651c0754736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
      #20 0x7fac88fad4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
      #21 0x5651c0cdfc67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
      #22 0x5651c0cdd567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
      #23 0x5651c0cdcf47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
      #24 0x5651bf4bb08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
      #25 0x5651bce4d51c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
      #26 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #27 0x5651bcda2cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

  0x61500001e500 is located 0 bytes to the right of 512-byte region [0x61500001e300,0x61500001e500)
  allocated by thread T0 here:
      #0 0x5651bce1b5b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
      #1 0x7fac88fb3210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
      #2 0x5651bd8cd222 in sdhci_pci_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci-pci.c:36:5
      #3 0x5651bd88c228 in pci_qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/pci/pci.c:2114:9
      #4 0x5651c07a4ec9 in device_set_realized /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:864:13
      #5 0x5651bfe384b8 in property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:2202:5
      #6 0x5651bfe2c1cf in object_property_set /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1349:5
      #7 0x5651bfe49471 in object_property_set_qobject /home/alxndr/Development/qemu/general-fuzz/build/../qom/qom-qobject.c:28:10
      #8 0x5651bfe2d890 in object_property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1416:15
      #9 0x5651c078cc64 in qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:379:12
      #10 0x5651bd8bd8cc in qdev_device_add /home/alxndr/Development/qemu/general-fuzz/build/../qdev-monitor.c:676:10
      #11 0x5651bf4e3e43 in device_init_func /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:2101:11
      #12 0x5651c0af71e4 in qemu_opts_foreach /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-option.c:1172:14
      #13 0x5651bf4cd04b in qemu_init /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:4384:5
      #14 0x5651bce4d517 in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:49:5
      #15 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f) in __asan_memcpy
  Shadow bytes around the buggy address:
    0x0c2a7fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffbca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==752161==ABORTING

  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892960/+subscriptions


^ permalink raw reply	[flat|nested] 21+ messages in thread

* [PATCH 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width
@ 2020-09-01 14:01 Philippe Mathieu-Daudé
  2020-09-01 14:01 ` [PATCH 1/3] hw/sd/sdhci: Fix qemu_log_mask() format string Philippe Mathieu-Daudé
                   ` (2 more replies)
  0 siblings, 3 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:01 UTC (permalink / raw)
  To: qemu-devel
  Cc: Prasad J Pandit, qemu-block, Philippe Mathieu-Daudé,
	Alexander Bulekov, bugs-syssec, Philippe Mathieu-Daudé

Fix the SDHCI issue reported last week by Alexander:
https://bugs.launchpad.net/qemu/+bug/1892960

The field is 12-bit (4KiB) but the guest can set
up to 16-bit (64KiB), leading to OOB access.

Philippe Mathieu-Daudé (3):
  hw/sd/sdhci: Fix qemu_log_mask() format string
  hw/sd/sdhci: Document the datasheet used
  hw/sd/sdhci: Fix DMA Transfer Block Size field

 hw/sd/sdhci.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

-- 
2.26.2



^ permalink raw reply	[flat|nested] 21+ messages in thread

* [PATCH 1/3] hw/sd/sdhci: Fix qemu_log_mask() format string
  2020-09-01 14:01 [PATCH 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width Philippe Mathieu-Daudé
@ 2020-09-01 14:01 ` Philippe Mathieu-Daudé
  2020-09-01 14:01 ` [PATCH 2/3] hw/sd/sdhci: Document the datasheet used Philippe Mathieu-Daudé
  2020-09-01 14:01   ` [Bug 1892960] " Philippe Mathieu-Daudé
  2 siblings, 0 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:01 UTC (permalink / raw)
  To: qemu-devel
  Cc: Prasad J Pandit, qemu-block, Philippe Mathieu-Daudé,
	Alexander Bulekov, bugs-syssec, Philippe Mathieu-Daudé

Add missing newline character in qemu_log_mask() format.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/sd/sdhci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 1785d7e1f79..e2ef288052e 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1109,7 +1109,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
         /* Limit block size to the maximum buffer size */
         if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
-                          "the maximum buffer 0x%x", __func__, s->blksize,
+                          "the maximum buffer 0x%x\n", __func__, s->blksize,
                           s->buf_maxsz);
 
             s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
-- 
2.26.2



^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 2/3] hw/sd/sdhci: Document the datasheet used
  2020-09-01 14:01 [PATCH 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width Philippe Mathieu-Daudé
  2020-09-01 14:01 ` [PATCH 1/3] hw/sd/sdhci: Fix qemu_log_mask() format string Philippe Mathieu-Daudé
@ 2020-09-01 14:01 ` Philippe Mathieu-Daudé
  2020-09-01 14:01   ` [Bug 1892960] " Philippe Mathieu-Daudé
  2 siblings, 0 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:01 UTC (permalink / raw)
  To: qemu-devel
  Cc: Prasad J Pandit, qemu-block, Philippe Mathieu-Daudé,
	Alexander Bulekov, bugs-syssec, Philippe Mathieu-Daudé

Add datasheet name in the file header.

We can not add the direct download link since there is a disclaimers
to agree first on the SD Association website (www.sdcard.org).

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/sd/sdhci.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index e2ef288052e..60f083b84c1 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1,6 +1,8 @@
 /*
  * SD Association Host Standard Specification v2.0 controller emulation
  *
+ * Datasheet: PartA2_SD_Host_Controller_Simplified_Specification_Ver2.00.pdf
+ *
  * Copyright (c) 2011 Samsung Electronics Co., Ltd.
  * Mitsyanko Igor <i.mitsyanko@samsung.com>
  * Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com>
-- 
2.26.2



^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 3/3] hw/sd/sdhci: Fix DMA Transfer Block Size field
@ 2020-09-01 14:01   ` Philippe Mathieu-Daudé
  0 siblings, 0 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:01 UTC (permalink / raw)
  To: qemu-devel
  Cc: Prasad J Pandit, qemu-block, 1892960, Igor Mitsyanko,
	Philippe Mathieu-Daudé,
	qemu-stable, Alexander Bulekov, bugs-syssec,
	Philippe Mathieu-Daudé

The 'Transfer Block Size' field is 12-bit wide.

See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.

Cc: qemu-stable@nongnu.org
Cc: Igor Mitsyanko <i.mitsyanko@gmail.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: 1892960@bugs.launchpad.net
---
 hw/sd/sdhci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 60f083b84c1..beb7b7ea092 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1104,7 +1104,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
         break;
     case SDHC_BLKSIZE:
         if (!TRANSFERRING_DATA(s->prnsts)) {
-            MASKED_WRITE(s->blksize, mask, value);
+            MASKED_WRITE(s->blksize, mask, extract32(s->blksize, 0, 12));
             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
         }
 
-- 
2.26.2



^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [Bug 1892960] [PATCH 3/3] hw/sd/sdhci: Fix DMA Transfer Block Size field
@ 2020-09-01 14:01   ` Philippe Mathieu-Daudé
  0 siblings, 0 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:01 UTC (permalink / raw)
  To: qemu-devel

The 'Transfer Block Size' field is 12-bit wide.

See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.

Cc: qemu-stable@nongnu.org
Cc: Igor Mitsyanko <i.mitsyanko@gmail.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: 1892960@bugs.launchpad.net
---
 hw/sd/sdhci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 60f083b84c1..beb7b7ea092 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1104,7 +1104,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
         break;
     case SDHC_BLKSIZE:
         if (!TRANSFERRING_DATA(s->prnsts)) {
-            MASKED_WRITE(s->blksize, mask, value);
+            MASKED_WRITE(s->blksize, mask, extract32(s->blksize, 0, 12));
             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
         }
 
-- 
2.26.2

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892960

Title:
  Heap-overflow in flatview_read through sdhci_data_transfer

Status in QEMU:
  New

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./qemu-system-i386 -nodefaults \
  -device sdhci-pci,sd-spec-version=3 \
  -device sd-card,drive=mydrive \
  -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
  -nographic -qtest stdio -accel qtest 
  outl 0xcf8 0x80001010
  outl 0xcfc 0xd7055dba
  outl 0xcf8 0x80001003
  outl 0xcfc 0x86b1d733
  writeq 0xd7055d2b 0x84126e0ed7d7355e
  writeq 0xd7055d23 0x13bd7d7346e0129
  writeq 0xd7055d05 0x615bfb845e05c42c
  write 0x0 0x1 0x39
  write 0x5 0x1 0x06
  write 0x6 0x1 0x35
  write 0x7 0x1 0x01
  write 0x1350600 0x1 0x39
  writew 0xd7055d0e 0x846e
  write 0x1350600 0x1 0x29
  write 0x1350602 0x1 0x1a
  write 0x1350608 0x1 0x39
  clock_step
  writeq 0xd7055d03 0x6d00000026000000
  clock_step
  EOF

  The trace:

  [R +0.077745] outl 0xcf8 0x80001010
  OK
  [S +0.077773] OK
  [R +0.077792] outl 0xcfc 0xd7055dba
  OK
  [S +0.077813] OK
  [R +0.077826] outl 0xcf8 0x80001003
  OK
  [S +0.077835] OK
  [R +0.077846] outl 0xcfc 0x86b1d733
  OK
  [S +0.080186] OK
  [R +0.080204] writeq 0xd7055d2b 0x84126e0ed7d7355e
  752161@1598405049.572123:sdhci_access wr8: addr[0x002b] <- 0x0000005e (94)
  752161@1598405049.572133:sdhci_access wr32: addr[0x002c] <- 0x0ed7d735 (249026357)
  752161@1598405049.572142:sdhci_access wr16: addr[0x0030] <- 0x0000126e (4718)
  752161@1598405049.572150:sdhci_access wr8: addr[0x0032] <- 0x00000084 (132)
  OK
  [S +0.080255] OK
  [R +0.080267] writeq 0xd7055d23 0x13bd7d7346e0129
  752161@1598405049.572176:sdhci_error Non-sequential access to Buffer Data Port registeris prohibited

  752161@1598405049.572181:sdhci_access wr8: addr[0x0023] <- 0x00000029 (41)
  752161@1598405049.572187:sdhci_access wr32: addr[0x0024] <- 0xd7346e01 (3610537473)
  752161@1598405049.572193:sdhci_access wr16: addr[0x0028] <- 0x00003bd7 (15319)
  752161@1598405049.572200:sdhci_access wr8: addr[0x002a] <- 0x00000001 (1)
  OK
  [S +0.080303] OK
  [R +0.080316] writeq 0xd7055d05 0x615bfb845e05c42c
  752161@1598405049.572226:sdhci_access wr8: addr[0x0005] <- 0x0000002c (44)
  752161@1598405049.572233:sdhci_access wr16: addr[0x0006] <- 0x000005c4 (1476)
  752161@1598405049.572240:sdhci_access wr32: addr[0x0008] <- 0x5bfb845e (1543210078)
  752161@1598405049.572247:sdhci_access wr8: addr[0x000c] <- 0x00000061 (97)
  OK
  [S +0.080350] OK
  [R +0.080362] write 0x0 0x1 0x39
  OK
  [S +0.080606] OK
  [R +0.080617] write 0x5 0x1 0x06
  OK
  [S +0.080629] OK
  [R +0.080639] write 0x6 0x1 0x35
  OK
  [S +0.080648] OK
  [R +0.080657] write 0x7 0x1 0x01
  OK
  [S +0.080665] OK
  [R +0.080675] write 0x1350600 0x1 0x39
  OK
  [S +0.080863] OK
  [R +0.080875] writew 0xd7055d0e 0x846e
  752161@1598405049.572786:sdhci_send_command CMD132 ARG[0x5bfb845e]
  752161@1598405049.572810:sdhci_error timeout waiting for command response
  752161@1598405049.572822:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572827:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572833:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572837:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572842:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572845:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572851:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572854:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572859:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572862:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572875:sdhci_access wr16: addr[0x000e] <- 0x0000846e (33902)
  OK
  [S +0.080979] OK
  [R +0.080991] write 0x1350600 0x1 0x29
  OK
  [S +0.081001] OK
  [R +0.081011] write 0x1350602 0x1 0x1a
  OK
  [S +0.081019] OK
  [R +0.081029] write 0x1350608 0x1 0x39
  OK
  [S +0.081037] OK
  [R +0.081045] clock_step
  752161@1598405049.572962:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572972:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572977:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572981:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572985:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572989:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572997:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.573001:sdhci_adma link: admasysaddr=0x0
  OK 100
  [S +0.081112] OK 100
  [R +0.081126] writeq 0xd7055d03 0x6d00000026000000
  752161@1598405049.573038:sdhci_access wr8: addr[0x0003] <- 0x00000000 (0)
  752161@1598405049.573045:sdhci_access wr32: addr[0x0004] <- 0x00260000 (2490368)
  752161@1598405049.573051:sdhci_access wr16: addr[0x0008] <- 0x00000000 (0)
  752161@1598405049.573057:sdhci_access wr8: addr[0x000a] <- 0x0000006d (109)
  OK
  [S +0.081162] OK
  [R +0.081171] clock_step
  752161@1598405049.573085:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.573090:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.573096:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  =================================================================
  ==752161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500001e500 at pc 0x5651bce1a940 bp 0x7fff16a81f50 sp 0x7fff16a81718
  WRITE of size 786432 at 0x61500001e500 thread T0
      #0 0x5651bce1a93f in __asan_memcpy (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f)
      #1 0x5651bf4197ce in flatview_read_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3246:13
      #2 0x5651bf41bff3 in flatview_read /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3279:12
      #3 0x5651bf41bb48 in address_space_read_full /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3292:18
      #4 0x5651bf41cce8 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3320:16
      #5 0x5651bd623b67 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18
      #6 0x5651bd623585 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12
      #7 0x5651bd6227b7 in dma_memory_read /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:116:12
      #8 0x5651bd61b052 in sdhci_do_adma /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:792:21
      #9 0x5651bd60d3c4 in sdhci_data_transfer /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:887:13
      #10 0x5651c0c4d917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9
      #11 0x5651c0c4de51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12
      #12 0x5651bf562a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9
      #13 0x5651bf74f5d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9
      #14 0x5651bf73d63e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
      #15 0x5651bf73c3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
      #16 0x5651c0842762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
      #17 0x5651c08428aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
      #18 0x5651c0868514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
      #19 0x5651c0754736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
      #20 0x7fac88fad4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
      #21 0x5651c0cdfc67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
      #22 0x5651c0cdd567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
      #23 0x5651c0cdcf47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
      #24 0x5651bf4bb08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
      #25 0x5651bce4d51c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
      #26 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #27 0x5651bcda2cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

  0x61500001e500 is located 0 bytes to the right of 512-byte region [0x61500001e300,0x61500001e500)
  allocated by thread T0 here:
      #0 0x5651bce1b5b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
      #1 0x7fac88fb3210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
      #2 0x5651bd8cd222 in sdhci_pci_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci-pci.c:36:5
      #3 0x5651bd88c228 in pci_qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/pci/pci.c:2114:9
      #4 0x5651c07a4ec9 in device_set_realized /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:864:13
      #5 0x5651bfe384b8 in property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:2202:5
      #6 0x5651bfe2c1cf in object_property_set /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1349:5
      #7 0x5651bfe49471 in object_property_set_qobject /home/alxndr/Development/qemu/general-fuzz/build/../qom/qom-qobject.c:28:10
      #8 0x5651bfe2d890 in object_property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1416:15
      #9 0x5651c078cc64 in qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:379:12
      #10 0x5651bd8bd8cc in qdev_device_add /home/alxndr/Development/qemu/general-fuzz/build/../qdev-monitor.c:676:10
      #11 0x5651bf4e3e43 in device_init_func /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:2101:11
      #12 0x5651c0af71e4 in qemu_opts_foreach /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-option.c:1172:14
      #13 0x5651bf4cd04b in qemu_init /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:4384:5
      #14 0x5651bce4d517 in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:49:5
      #15 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f) in __asan_memcpy
  Shadow bytes around the buggy address:
    0x0c2a7fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffbca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==752161==ABORTING

  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892960/+subscriptions


^ permalink raw reply related	[flat|nested] 21+ messages in thread

* Re: [PATCH 3/3] hw/sd/sdhci: Fix DMA Transfer Block Size field
@ 2020-09-01 14:03     ` Philippe Mathieu-Daudé
  0 siblings, 0 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:03 UTC (permalink / raw)
  To: qemu-devel
  Cc: Prasad J Pandit, qemu-block, 1892960, Igor Mitsyanko,
	qemu-stable, Alexander Bulekov, bugs-syssec

On 9/1/20 4:01 PM, Philippe Mathieu-Daudé wrote:
> The 'Transfer Block Size' field is 12-bit wide.
> 
> See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
> 
> Cc: qemu-stable@nongnu.org
> Cc: Igor Mitsyanko <i.mitsyanko@gmail.com>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
> Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
> Reported-by: Alexander Bulekov <alxndr@bu.edu>
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> Cc: 1892960@bugs.launchpad.net
> ---
>  hw/sd/sdhci.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
> index 60f083b84c1..beb7b7ea092 100644
> --- a/hw/sd/sdhci.c
> +++ b/hw/sd/sdhci.c
> @@ -1104,7 +1104,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
>          break;
>      case SDHC_BLKSIZE:
>          if (!TRANSFERRING_DATA(s->prnsts)) {
> -            MASKED_WRITE(s->blksize, mask, value);
> +            MASKED_WRITE(s->blksize, mask, extract32(s->blksize, 0, 12));

Beh change unstaged, sorry, will repost.

>              MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
>          }
>  
> 



^ permalink raw reply	[flat|nested] 21+ messages in thread

* [Bug 1892960] Re: [PATCH 3/3] hw/sd/sdhci: Fix DMA Transfer Block Size field
@ 2020-09-01 14:03     ` Philippe Mathieu-Daudé
  0 siblings, 0 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:03 UTC (permalink / raw)
  To: qemu-devel

On 9/1/20 4:01 PM, Philippe Mathieu-Daudé wrote:
> The 'Transfer Block Size' field is 12-bit wide.
> 
> See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
> 
> Cc: qemu-stable@nongnu.org
> Cc: Igor Mitsyanko <i.mitsyanko@gmail.com>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
> Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
> Reported-by: Alexander Bulekov <alxndr@bu.edu>
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> Cc: 1892960@bugs.launchpad.net
> ---
>  hw/sd/sdhci.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
> index 60f083b84c1..beb7b7ea092 100644
> --- a/hw/sd/sdhci.c
> +++ b/hw/sd/sdhci.c
> @@ -1104,7 +1104,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
>          break;
>      case SDHC_BLKSIZE:
>          if (!TRANSFERRING_DATA(s->prnsts)) {
> -            MASKED_WRITE(s->blksize, mask, value);
> +            MASKED_WRITE(s->blksize, mask, extract32(s->blksize, 0, 12));

Beh change unstaged, sorry, will repost.

>              MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
>          }
>  
>

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892960

Title:
  Heap-overflow in flatview_read through sdhci_data_transfer

Status in QEMU:
  New

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./qemu-system-i386 -nodefaults \
  -device sdhci-pci,sd-spec-version=3 \
  -device sd-card,drive=mydrive \
  -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
  -nographic -qtest stdio -accel qtest 
  outl 0xcf8 0x80001010
  outl 0xcfc 0xd7055dba
  outl 0xcf8 0x80001003
  outl 0xcfc 0x86b1d733
  writeq 0xd7055d2b 0x84126e0ed7d7355e
  writeq 0xd7055d23 0x13bd7d7346e0129
  writeq 0xd7055d05 0x615bfb845e05c42c
  write 0x0 0x1 0x39
  write 0x5 0x1 0x06
  write 0x6 0x1 0x35
  write 0x7 0x1 0x01
  write 0x1350600 0x1 0x39
  writew 0xd7055d0e 0x846e
  write 0x1350600 0x1 0x29
  write 0x1350602 0x1 0x1a
  write 0x1350608 0x1 0x39
  clock_step
  writeq 0xd7055d03 0x6d00000026000000
  clock_step
  EOF

  The trace:

  [R +0.077745] outl 0xcf8 0x80001010
  OK
  [S +0.077773] OK
  [R +0.077792] outl 0xcfc 0xd7055dba
  OK
  [S +0.077813] OK
  [R +0.077826] outl 0xcf8 0x80001003
  OK
  [S +0.077835] OK
  [R +0.077846] outl 0xcfc 0x86b1d733
  OK
  [S +0.080186] OK
  [R +0.080204] writeq 0xd7055d2b 0x84126e0ed7d7355e
  752161@1598405049.572123:sdhci_access wr8: addr[0x002b] <- 0x0000005e (94)
  752161@1598405049.572133:sdhci_access wr32: addr[0x002c] <- 0x0ed7d735 (249026357)
  752161@1598405049.572142:sdhci_access wr16: addr[0x0030] <- 0x0000126e (4718)
  752161@1598405049.572150:sdhci_access wr8: addr[0x0032] <- 0x00000084 (132)
  OK
  [S +0.080255] OK
  [R +0.080267] writeq 0xd7055d23 0x13bd7d7346e0129
  752161@1598405049.572176:sdhci_error Non-sequential access to Buffer Data Port registeris prohibited

  752161@1598405049.572181:sdhci_access wr8: addr[0x0023] <- 0x00000029 (41)
  752161@1598405049.572187:sdhci_access wr32: addr[0x0024] <- 0xd7346e01 (3610537473)
  752161@1598405049.572193:sdhci_access wr16: addr[0x0028] <- 0x00003bd7 (15319)
  752161@1598405049.572200:sdhci_access wr8: addr[0x002a] <- 0x00000001 (1)
  OK
  [S +0.080303] OK
  [R +0.080316] writeq 0xd7055d05 0x615bfb845e05c42c
  752161@1598405049.572226:sdhci_access wr8: addr[0x0005] <- 0x0000002c (44)
  752161@1598405049.572233:sdhci_access wr16: addr[0x0006] <- 0x000005c4 (1476)
  752161@1598405049.572240:sdhci_access wr32: addr[0x0008] <- 0x5bfb845e (1543210078)
  752161@1598405049.572247:sdhci_access wr8: addr[0x000c] <- 0x00000061 (97)
  OK
  [S +0.080350] OK
  [R +0.080362] write 0x0 0x1 0x39
  OK
  [S +0.080606] OK
  [R +0.080617] write 0x5 0x1 0x06
  OK
  [S +0.080629] OK
  [R +0.080639] write 0x6 0x1 0x35
  OK
  [S +0.080648] OK
  [R +0.080657] write 0x7 0x1 0x01
  OK
  [S +0.080665] OK
  [R +0.080675] write 0x1350600 0x1 0x39
  OK
  [S +0.080863] OK
  [R +0.080875] writew 0xd7055d0e 0x846e
  752161@1598405049.572786:sdhci_send_command CMD132 ARG[0x5bfb845e]
  752161@1598405049.572810:sdhci_error timeout waiting for command response
  752161@1598405049.572822:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572827:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572833:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572837:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572842:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572845:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572851:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572854:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572859:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572862:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572875:sdhci_access wr16: addr[0x000e] <- 0x0000846e (33902)
  OK
  [S +0.080979] OK
  [R +0.080991] write 0x1350600 0x1 0x29
  OK
  [S +0.081001] OK
  [R +0.081011] write 0x1350602 0x1 0x1a
  OK
  [S +0.081019] OK
  [R +0.081029] write 0x1350608 0x1 0x39
  OK
  [S +0.081037] OK
  [R +0.081045] clock_step
  752161@1598405049.572962:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572972:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572977:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572981:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572985:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572989:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572997:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.573001:sdhci_adma link: admasysaddr=0x0
  OK 100
  [S +0.081112] OK 100
  [R +0.081126] writeq 0xd7055d03 0x6d00000026000000
  752161@1598405049.573038:sdhci_access wr8: addr[0x0003] <- 0x00000000 (0)
  752161@1598405049.573045:sdhci_access wr32: addr[0x0004] <- 0x00260000 (2490368)
  752161@1598405049.573051:sdhci_access wr16: addr[0x0008] <- 0x00000000 (0)
  752161@1598405049.573057:sdhci_access wr8: addr[0x000a] <- 0x0000006d (109)
  OK
  [S +0.081162] OK
  [R +0.081171] clock_step
  752161@1598405049.573085:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.573090:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.573096:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  =================================================================
  ==752161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500001e500 at pc 0x5651bce1a940 bp 0x7fff16a81f50 sp 0x7fff16a81718
  WRITE of size 786432 at 0x61500001e500 thread T0
      #0 0x5651bce1a93f in __asan_memcpy (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f)
      #1 0x5651bf4197ce in flatview_read_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3246:13
      #2 0x5651bf41bff3 in flatview_read /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3279:12
      #3 0x5651bf41bb48 in address_space_read_full /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3292:18
      #4 0x5651bf41cce8 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3320:16
      #5 0x5651bd623b67 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18
      #6 0x5651bd623585 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12
      #7 0x5651bd6227b7 in dma_memory_read /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:116:12
      #8 0x5651bd61b052 in sdhci_do_adma /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:792:21
      #9 0x5651bd60d3c4 in sdhci_data_transfer /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:887:13
      #10 0x5651c0c4d917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9
      #11 0x5651c0c4de51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12
      #12 0x5651bf562a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9
      #13 0x5651bf74f5d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9
      #14 0x5651bf73d63e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
      #15 0x5651bf73c3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
      #16 0x5651c0842762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
      #17 0x5651c08428aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
      #18 0x5651c0868514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
      #19 0x5651c0754736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
      #20 0x7fac88fad4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
      #21 0x5651c0cdfc67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
      #22 0x5651c0cdd567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
      #23 0x5651c0cdcf47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
      #24 0x5651bf4bb08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
      #25 0x5651bce4d51c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
      #26 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #27 0x5651bcda2cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

  0x61500001e500 is located 0 bytes to the right of 512-byte region [0x61500001e300,0x61500001e500)
  allocated by thread T0 here:
      #0 0x5651bce1b5b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
      #1 0x7fac88fb3210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
      #2 0x5651bd8cd222 in sdhci_pci_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci-pci.c:36:5
      #3 0x5651bd88c228 in pci_qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/pci/pci.c:2114:9
      #4 0x5651c07a4ec9 in device_set_realized /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:864:13
      #5 0x5651bfe384b8 in property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:2202:5
      #6 0x5651bfe2c1cf in object_property_set /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1349:5
      #7 0x5651bfe49471 in object_property_set_qobject /home/alxndr/Development/qemu/general-fuzz/build/../qom/qom-qobject.c:28:10
      #8 0x5651bfe2d890 in object_property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1416:15
      #9 0x5651c078cc64 in qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:379:12
      #10 0x5651bd8bd8cc in qdev_device_add /home/alxndr/Development/qemu/general-fuzz/build/../qdev-monitor.c:676:10
      #11 0x5651bf4e3e43 in device_init_func /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:2101:11
      #12 0x5651c0af71e4 in qemu_opts_foreach /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-option.c:1172:14
      #13 0x5651bf4cd04b in qemu_init /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:4384:5
      #14 0x5651bce4d517 in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:49:5
      #15 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f) in __asan_memcpy
  Shadow bytes around the buggy address:
    0x0c2a7fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffbca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==752161==ABORTING

  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892960/+subscriptions


^ permalink raw reply	[flat|nested] 21+ messages in thread

* [PATCH v2 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width
@ 2020-09-01 14:04 Philippe Mathieu-Daudé
  2020-09-01 14:04 ` [PATCH v2 1/3] hw/sd/sdhci: Fix qemu_log_mask() format string Philippe Mathieu-Daudé
                   ` (4 more replies)
  0 siblings, 5 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:04 UTC (permalink / raw)
  To: qemu-devel
  Cc: Alexander Bulekov, bugs-syssec, Prasad J Pandit, qemu-block,
	Philippe Mathieu-Daudé

Fix the SDHCI issue reported last week by Alexander:
https://bugs.launchpad.net/qemu/+bug/1892960

The field is 12-bit (4KiB) but the guest can set
up to 16-bit (64KiB), leading to OOB access.

since v1:
commited unstaged change in patch #3...

Philippe Mathieu-Daudé (3):
  hw/sd/sdhci: Fix qemu_log_mask() format string
  hw/sd/sdhci: Document the datasheet used
  hw/sd/sdhci: Fix DMA Transfer Block Size field

 hw/sd/sdhci.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

-- 
2.26.2



^ permalink raw reply	[flat|nested] 21+ messages in thread

* [PATCH v2 1/3] hw/sd/sdhci: Fix qemu_log_mask() format string
  2020-09-01 14:04 [PATCH v2 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width Philippe Mathieu-Daudé
@ 2020-09-01 14:04 ` Philippe Mathieu-Daudé
  2020-09-01 17:51   ` Richard Henderson
  2020-09-01 14:04 ` [PATCH v2 2/3] hw/sd/sdhci: Document the datasheet used Philippe Mathieu-Daudé
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:04 UTC (permalink / raw)
  To: qemu-devel
  Cc: Prasad J Pandit, qemu-block, Philippe Mathieu-Daudé,
	Alexander Bulekov, bugs-syssec, Philippe Mathieu-Daudé

Add missing newline character in qemu_log_mask() format.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/sd/sdhci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 1785d7e1f79..e2ef288052e 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1109,7 +1109,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
         /* Limit block size to the maximum buffer size */
         if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
-                          "the maximum buffer 0x%x", __func__, s->blksize,
+                          "the maximum buffer 0x%x\n", __func__, s->blksize,
                           s->buf_maxsz);
 
             s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
-- 
2.26.2



^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH v2 2/3] hw/sd/sdhci: Document the datasheet used
  2020-09-01 14:04 [PATCH v2 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width Philippe Mathieu-Daudé
  2020-09-01 14:04 ` [PATCH v2 1/3] hw/sd/sdhci: Fix qemu_log_mask() format string Philippe Mathieu-Daudé
@ 2020-09-01 14:04 ` Philippe Mathieu-Daudé
  2020-09-01 17:51   ` Richard Henderson
  2020-09-01 14:04   ` [Bug 1892960] " Philippe Mathieu-Daudé
                   ` (2 subsequent siblings)
  4 siblings, 1 reply; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:04 UTC (permalink / raw)
  To: qemu-devel
  Cc: Prasad J Pandit, qemu-block, Philippe Mathieu-Daudé,
	Alexander Bulekov, bugs-syssec, Philippe Mathieu-Daudé

Add datasheet name in the file header.

We can not add the direct download link since there is a disclaimers
to agree first on the SD Association website (www.sdcard.org).

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/sd/sdhci.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index e2ef288052e..60f083b84c1 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1,6 +1,8 @@
 /*
  * SD Association Host Standard Specification v2.0 controller emulation
  *
+ * Datasheet: PartA2_SD_Host_Controller_Simplified_Specification_Ver2.00.pdf
+ *
  * Copyright (c) 2011 Samsung Electronics Co., Ltd.
  * Mitsyanko Igor <i.mitsyanko@samsung.com>
  * Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com>
-- 
2.26.2



^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH v2 3/3] hw/sd/sdhci: Fix DMA Transfer Block Size field
@ 2020-09-01 14:04   ` Philippe Mathieu-Daudé
  0 siblings, 0 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:04 UTC (permalink / raw)
  To: qemu-devel
  Cc: Prasad J Pandit, qemu-block, 1892960, Igor Mitsyanko,
	qemu-stable, Philippe Mathieu-Daudé,
	Alexander Bulekov, bugs-syssec, Philippe Mathieu-Daudé

The 'Transfer Block Size' field is 12-bit wide.

See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.

Cc: qemu-stable@nongnu.org
Cc: Igor Mitsyanko <i.mitsyanko@gmail.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: 1892960@bugs.launchpad.net
---
 hw/sd/sdhci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 60f083b84c1..ecbf84e9d3f 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1104,7 +1104,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
         break;
     case SDHC_BLKSIZE:
         if (!TRANSFERRING_DATA(s->prnsts)) {
-            MASKED_WRITE(s->blksize, mask, value);
+            MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
         }
 
-- 
2.26.2



^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [Bug 1892960] [PATCH v2 3/3] hw/sd/sdhci: Fix DMA Transfer Block Size field
@ 2020-09-01 14:04   ` Philippe Mathieu-Daudé
  0 siblings, 0 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-01 14:04 UTC (permalink / raw)
  To: qemu-devel

The 'Transfer Block Size' field is 12-bit wide.

See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.

Cc: qemu-stable@nongnu.org
Cc: Igor Mitsyanko <i.mitsyanko@gmail.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: 1892960@bugs.launchpad.net
---
 hw/sd/sdhci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 60f083b84c1..ecbf84e9d3f 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1104,7 +1104,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
         break;
     case SDHC_BLKSIZE:
         if (!TRANSFERRING_DATA(s->prnsts)) {
-            MASKED_WRITE(s->blksize, mask, value);
+            MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
         }
 
-- 
2.26.2

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892960

Title:
  Heap-overflow in flatview_read through sdhci_data_transfer

Status in QEMU:
  New

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./qemu-system-i386 -nodefaults \
  -device sdhci-pci,sd-spec-version=3 \
  -device sd-card,drive=mydrive \
  -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
  -nographic -qtest stdio -accel qtest 
  outl 0xcf8 0x80001010
  outl 0xcfc 0xd7055dba
  outl 0xcf8 0x80001003
  outl 0xcfc 0x86b1d733
  writeq 0xd7055d2b 0x84126e0ed7d7355e
  writeq 0xd7055d23 0x13bd7d7346e0129
  writeq 0xd7055d05 0x615bfb845e05c42c
  write 0x0 0x1 0x39
  write 0x5 0x1 0x06
  write 0x6 0x1 0x35
  write 0x7 0x1 0x01
  write 0x1350600 0x1 0x39
  writew 0xd7055d0e 0x846e
  write 0x1350600 0x1 0x29
  write 0x1350602 0x1 0x1a
  write 0x1350608 0x1 0x39
  clock_step
  writeq 0xd7055d03 0x6d00000026000000
  clock_step
  EOF

  The trace:

  [R +0.077745] outl 0xcf8 0x80001010
  OK
  [S +0.077773] OK
  [R +0.077792] outl 0xcfc 0xd7055dba
  OK
  [S +0.077813] OK
  [R +0.077826] outl 0xcf8 0x80001003
  OK
  [S +0.077835] OK
  [R +0.077846] outl 0xcfc 0x86b1d733
  OK
  [S +0.080186] OK
  [R +0.080204] writeq 0xd7055d2b 0x84126e0ed7d7355e
  752161@1598405049.572123:sdhci_access wr8: addr[0x002b] <- 0x0000005e (94)
  752161@1598405049.572133:sdhci_access wr32: addr[0x002c] <- 0x0ed7d735 (249026357)
  752161@1598405049.572142:sdhci_access wr16: addr[0x0030] <- 0x0000126e (4718)
  752161@1598405049.572150:sdhci_access wr8: addr[0x0032] <- 0x00000084 (132)
  OK
  [S +0.080255] OK
  [R +0.080267] writeq 0xd7055d23 0x13bd7d7346e0129
  752161@1598405049.572176:sdhci_error Non-sequential access to Buffer Data Port registeris prohibited

  752161@1598405049.572181:sdhci_access wr8: addr[0x0023] <- 0x00000029 (41)
  752161@1598405049.572187:sdhci_access wr32: addr[0x0024] <- 0xd7346e01 (3610537473)
  752161@1598405049.572193:sdhci_access wr16: addr[0x0028] <- 0x00003bd7 (15319)
  752161@1598405049.572200:sdhci_access wr8: addr[0x002a] <- 0x00000001 (1)
  OK
  [S +0.080303] OK
  [R +0.080316] writeq 0xd7055d05 0x615bfb845e05c42c
  752161@1598405049.572226:sdhci_access wr8: addr[0x0005] <- 0x0000002c (44)
  752161@1598405049.572233:sdhci_access wr16: addr[0x0006] <- 0x000005c4 (1476)
  752161@1598405049.572240:sdhci_access wr32: addr[0x0008] <- 0x5bfb845e (1543210078)
  752161@1598405049.572247:sdhci_access wr8: addr[0x000c] <- 0x00000061 (97)
  OK
  [S +0.080350] OK
  [R +0.080362] write 0x0 0x1 0x39
  OK
  [S +0.080606] OK
  [R +0.080617] write 0x5 0x1 0x06
  OK
  [S +0.080629] OK
  [R +0.080639] write 0x6 0x1 0x35
  OK
  [S +0.080648] OK
  [R +0.080657] write 0x7 0x1 0x01
  OK
  [S +0.080665] OK
  [R +0.080675] write 0x1350600 0x1 0x39
  OK
  [S +0.080863] OK
  [R +0.080875] writew 0xd7055d0e 0x846e
  752161@1598405049.572786:sdhci_send_command CMD132 ARG[0x5bfb845e]
  752161@1598405049.572810:sdhci_error timeout waiting for command response
  752161@1598405049.572822:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572827:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572833:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572837:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572842:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572845:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572851:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572854:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572859:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572862:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572875:sdhci_access wr16: addr[0x000e] <- 0x0000846e (33902)
  OK
  [S +0.080979] OK
  [R +0.080991] write 0x1350600 0x1 0x29
  OK
  [S +0.081001] OK
  [R +0.081011] write 0x1350602 0x1 0x1a
  OK
  [S +0.081019] OK
  [R +0.081029] write 0x1350608 0x1 0x39
  OK
  [S +0.081037] OK
  [R +0.081045] clock_step
  752161@1598405049.572962:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572972:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572977:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572981:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572985:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572989:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572997:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.573001:sdhci_adma link: admasysaddr=0x0
  OK 100
  [S +0.081112] OK 100
  [R +0.081126] writeq 0xd7055d03 0x6d00000026000000
  752161@1598405049.573038:sdhci_access wr8: addr[0x0003] <- 0x00000000 (0)
  752161@1598405049.573045:sdhci_access wr32: addr[0x0004] <- 0x00260000 (2490368)
  752161@1598405049.573051:sdhci_access wr16: addr[0x0008] <- 0x00000000 (0)
  752161@1598405049.573057:sdhci_access wr8: addr[0x000a] <- 0x0000006d (109)
  OK
  [S +0.081162] OK
  [R +0.081171] clock_step
  752161@1598405049.573085:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.573090:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.573096:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  =================================================================
  ==752161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500001e500 at pc 0x5651bce1a940 bp 0x7fff16a81f50 sp 0x7fff16a81718
  WRITE of size 786432 at 0x61500001e500 thread T0
      #0 0x5651bce1a93f in __asan_memcpy (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f)
      #1 0x5651bf4197ce in flatview_read_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3246:13
      #2 0x5651bf41bff3 in flatview_read /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3279:12
      #3 0x5651bf41bb48 in address_space_read_full /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3292:18
      #4 0x5651bf41cce8 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3320:16
      #5 0x5651bd623b67 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18
      #6 0x5651bd623585 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12
      #7 0x5651bd6227b7 in dma_memory_read /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:116:12
      #8 0x5651bd61b052 in sdhci_do_adma /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:792:21
      #9 0x5651bd60d3c4 in sdhci_data_transfer /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:887:13
      #10 0x5651c0c4d917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9
      #11 0x5651c0c4de51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12
      #12 0x5651bf562a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9
      #13 0x5651bf74f5d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9
      #14 0x5651bf73d63e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
      #15 0x5651bf73c3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
      #16 0x5651c0842762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
      #17 0x5651c08428aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
      #18 0x5651c0868514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
      #19 0x5651c0754736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
      #20 0x7fac88fad4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
      #21 0x5651c0cdfc67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
      #22 0x5651c0cdd567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
      #23 0x5651c0cdcf47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
      #24 0x5651bf4bb08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
      #25 0x5651bce4d51c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
      #26 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #27 0x5651bcda2cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

  0x61500001e500 is located 0 bytes to the right of 512-byte region [0x61500001e300,0x61500001e500)
  allocated by thread T0 here:
      #0 0x5651bce1b5b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
      #1 0x7fac88fb3210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
      #2 0x5651bd8cd222 in sdhci_pci_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci-pci.c:36:5
      #3 0x5651bd88c228 in pci_qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/pci/pci.c:2114:9
      #4 0x5651c07a4ec9 in device_set_realized /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:864:13
      #5 0x5651bfe384b8 in property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:2202:5
      #6 0x5651bfe2c1cf in object_property_set /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1349:5
      #7 0x5651bfe49471 in object_property_set_qobject /home/alxndr/Development/qemu/general-fuzz/build/../qom/qom-qobject.c:28:10
      #8 0x5651bfe2d890 in object_property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1416:15
      #9 0x5651c078cc64 in qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:379:12
      #10 0x5651bd8bd8cc in qdev_device_add /home/alxndr/Development/qemu/general-fuzz/build/../qdev-monitor.c:676:10
      #11 0x5651bf4e3e43 in device_init_func /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:2101:11
      #12 0x5651c0af71e4 in qemu_opts_foreach /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-option.c:1172:14
      #13 0x5651bf4cd04b in qemu_init /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:4384:5
      #14 0x5651bce4d517 in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:49:5
      #15 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f) in __asan_memcpy
  Shadow bytes around the buggy address:
    0x0c2a7fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffbca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==752161==ABORTING

  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892960/+subscriptions


^ permalink raw reply related	[flat|nested] 21+ messages in thread

* Re: [PATCH v2 1/3] hw/sd/sdhci: Fix qemu_log_mask() format string
  2020-09-01 14:04 ` [PATCH v2 1/3] hw/sd/sdhci: Fix qemu_log_mask() format string Philippe Mathieu-Daudé
@ 2020-09-01 17:51   ` Richard Henderson
  0 siblings, 0 replies; 21+ messages in thread
From: Richard Henderson @ 2020-09-01 17:51 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé, qemu-devel
  Cc: Alexander Bulekov, bugs-syssec, Prasad J Pandit, qemu-block,
	Philippe Mathieu-Daudé

On 9/1/20 7:04 AM, Philippe Mathieu-Daudé wrote:
> Add missing newline character in qemu_log_mask() format.
> 
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  hw/sd/sdhci.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~




^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [PATCH v2 2/3] hw/sd/sdhci: Document the datasheet used
  2020-09-01 14:04 ` [PATCH v2 2/3] hw/sd/sdhci: Document the datasheet used Philippe Mathieu-Daudé
@ 2020-09-01 17:51   ` Richard Henderson
  0 siblings, 0 replies; 21+ messages in thread
From: Richard Henderson @ 2020-09-01 17:51 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé, qemu-devel
  Cc: Alexander Bulekov, bugs-syssec, Prasad J Pandit, qemu-block,
	Philippe Mathieu-Daudé

On 9/1/20 7:04 AM, Philippe Mathieu-Daudé wrote:
> Add datasheet name in the file header.
> 
> We can not add the direct download link since there is a disclaimers
> to agree first on the SD Association website (www.sdcard.org).
> 
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  hw/sd/sdhci.c | 2 ++
>  1 file changed, 2 insertions(+)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~




^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [PATCH v2 3/3] hw/sd/sdhci: Fix DMA Transfer Block Size field
  2020-09-01 14:04   ` [Bug 1892960] " Philippe Mathieu-Daudé
  (?)
@ 2020-09-02 10:39   ` P J P
  -1 siblings, 0 replies; 21+ messages in thread
From: P J P @ 2020-09-02 10:39 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé
  Cc: qemu-block, Alexander Bulekov, Igor Mitsyanko, qemu-devel,
	qemu-stable, 1892960, bugs-syssec, Philippe Mathieu-Daudé

[-- Attachment #1: Type: text/plain, Size: 1022 bytes --]

+-- On Tue, 1 Sep 2020, Philippe Mathieu-Daudé wrote --+
| The 'Transfer Block Size' field is 12-bit wide.
| See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
| 
| Buglink: https://bugs.launchpad.net/qemu/+bug/1892960

+ https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1

| diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
| index 60f083b84c1..ecbf84e9d3f 100644
| --- a/hw/sd/sdhci.c
| +++ b/hw/sd/sdhci.c
| @@ -1104,7 +1104,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
|          break;
|      case SDHC_BLKSIZE:
|          if (!TRANSFERRING_DATA(s->prnsts)) {
| -            MASKED_WRITE(s->blksize, mask, value);
| +            MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
|              MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);

It helps to fix above issues.

Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [PATCH v2 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width
  2020-09-01 14:04 [PATCH v2 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width Philippe Mathieu-Daudé
                   ` (2 preceding siblings ...)
  2020-09-01 14:04   ` [Bug 1892960] " Philippe Mathieu-Daudé
@ 2020-09-10 14:49 ` Alexander Bulekov
  2020-09-18  8:27 ` Philippe Mathieu-Daudé
  4 siblings, 0 replies; 21+ messages in thread
From: Alexander Bulekov @ 2020-09-10 14:49 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé
  Cc: bugs-syssec, qemu-devel, qemu-block, Prasad J Pandit

For this series:

Tested-by: Alexander Bulekov <alxndr@bu.edu>

On 200901 1604, Philippe Mathieu-Daudé wrote:
> Fix the SDHCI issue reported last week by Alexander:
> https://bugs.launchpad.net/qemu/+bug/1892960
> 
> The field is 12-bit (4KiB) but the guest can set
> up to 16-bit (64KiB), leading to OOB access.
> 
> since v1:
> commited unstaged change in patch #3...
> 
> Philippe Mathieu-Daudé (3):
>   hw/sd/sdhci: Fix qemu_log_mask() format string
>   hw/sd/sdhci: Document the datasheet used
>   hw/sd/sdhci: Fix DMA Transfer Block Size field
> 
>  hw/sd/sdhci.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> -- 
> 2.26.2
> 


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [PATCH v2 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width
  2020-09-01 14:04 [PATCH v2 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width Philippe Mathieu-Daudé
                   ` (3 preceding siblings ...)
  2020-09-10 14:49 ` [PATCH v2 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width Alexander Bulekov
@ 2020-09-18  8:27 ` Philippe Mathieu-Daudé
  4 siblings, 0 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-09-18  8:27 UTC (permalink / raw)
  To: qemu-devel; +Cc: Alexander Bulekov, bugs-syssec, Prasad J Pandit, qemu-block

On 9/1/20 4:04 PM, Philippe Mathieu-Daudé wrote:
> Fix the SDHCI issue reported last week by Alexander:
> https://bugs.launchpad.net/qemu/+bug/1892960
> 
> The field is 12-bit (4KiB) but the guest can set
> up to 16-bit (64KiB), leading to OOB access.
> 
> since v1:
> commited unstaged change in patch #3...
> 
> Philippe Mathieu-Daudé (3):
>   hw/sd/sdhci: Fix qemu_log_mask() format string
>   hw/sd/sdhci: Document the datasheet used
>   hw/sd/sdhci: Fix DMA Transfer Block Size field

Thanks, series applied to my sd-next tree.


^ permalink raw reply	[flat|nested] 21+ messages in thread

* [Bug 1892960] Re: Heap-overflow in flatview_read through sdhci_data_transfer
  2020-08-26  1:25 [Bug 1892960] [NEW] Heap-overflow in flatview_read through sdhci_data_transfer Alexander Bulekov
  2020-09-01 12:01 ` [Bug 1892960] " P J P
@ 2020-10-22 14:00 ` Philippe Mathieu-Daudé
  2020-12-10  9:04 ` Thomas Huth
  2 siblings, 0 replies; 21+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-10-22 14:00 UTC (permalink / raw)
  To: qemu-devel

Fixed in commit dfba99f17feb6d4a129da19d38df1bcd8579d1c3.

** Changed in: qemu
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892960

Title:
  Heap-overflow in flatview_read through sdhci_data_transfer

Status in QEMU:
  Fix Committed

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./qemu-system-i386 -nodefaults \
  -device sdhci-pci,sd-spec-version=3 \
  -device sd-card,drive=mydrive \
  -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
  -nographic -qtest stdio -accel qtest 
  outl 0xcf8 0x80001010
  outl 0xcfc 0xd7055dba
  outl 0xcf8 0x80001003
  outl 0xcfc 0x86b1d733
  writeq 0xd7055d2b 0x84126e0ed7d7355e
  writeq 0xd7055d23 0x13bd7d7346e0129
  writeq 0xd7055d05 0x615bfb845e05c42c
  write 0x0 0x1 0x39
  write 0x5 0x1 0x06
  write 0x6 0x1 0x35
  write 0x7 0x1 0x01
  write 0x1350600 0x1 0x39
  writew 0xd7055d0e 0x846e
  write 0x1350600 0x1 0x29
  write 0x1350602 0x1 0x1a
  write 0x1350608 0x1 0x39
  clock_step
  writeq 0xd7055d03 0x6d00000026000000
  clock_step
  EOF

  The trace:

  [R +0.077745] outl 0xcf8 0x80001010
  OK
  [S +0.077773] OK
  [R +0.077792] outl 0xcfc 0xd7055dba
  OK
  [S +0.077813] OK
  [R +0.077826] outl 0xcf8 0x80001003
  OK
  [S +0.077835] OK
  [R +0.077846] outl 0xcfc 0x86b1d733
  OK
  [S +0.080186] OK
  [R +0.080204] writeq 0xd7055d2b 0x84126e0ed7d7355e
  752161@1598405049.572123:sdhci_access wr8: addr[0x002b] <- 0x0000005e (94)
  752161@1598405049.572133:sdhci_access wr32: addr[0x002c] <- 0x0ed7d735 (249026357)
  752161@1598405049.572142:sdhci_access wr16: addr[0x0030] <- 0x0000126e (4718)
  752161@1598405049.572150:sdhci_access wr8: addr[0x0032] <- 0x00000084 (132)
  OK
  [S +0.080255] OK
  [R +0.080267] writeq 0xd7055d23 0x13bd7d7346e0129
  752161@1598405049.572176:sdhci_error Non-sequential access to Buffer Data Port registeris prohibited

  752161@1598405049.572181:sdhci_access wr8: addr[0x0023] <- 0x00000029 (41)
  752161@1598405049.572187:sdhci_access wr32: addr[0x0024] <- 0xd7346e01 (3610537473)
  752161@1598405049.572193:sdhci_access wr16: addr[0x0028] <- 0x00003bd7 (15319)
  752161@1598405049.572200:sdhci_access wr8: addr[0x002a] <- 0x00000001 (1)
  OK
  [S +0.080303] OK
  [R +0.080316] writeq 0xd7055d05 0x615bfb845e05c42c
  752161@1598405049.572226:sdhci_access wr8: addr[0x0005] <- 0x0000002c (44)
  752161@1598405049.572233:sdhci_access wr16: addr[0x0006] <- 0x000005c4 (1476)
  752161@1598405049.572240:sdhci_access wr32: addr[0x0008] <- 0x5bfb845e (1543210078)
  752161@1598405049.572247:sdhci_access wr8: addr[0x000c] <- 0x00000061 (97)
  OK
  [S +0.080350] OK
  [R +0.080362] write 0x0 0x1 0x39
  OK
  [S +0.080606] OK
  [R +0.080617] write 0x5 0x1 0x06
  OK
  [S +0.080629] OK
  [R +0.080639] write 0x6 0x1 0x35
  OK
  [S +0.080648] OK
  [R +0.080657] write 0x7 0x1 0x01
  OK
  [S +0.080665] OK
  [R +0.080675] write 0x1350600 0x1 0x39
  OK
  [S +0.080863] OK
  [R +0.080875] writew 0xd7055d0e 0x846e
  752161@1598405049.572786:sdhci_send_command CMD132 ARG[0x5bfb845e]
  752161@1598405049.572810:sdhci_error timeout waiting for command response
  752161@1598405049.572822:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572827:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572833:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572837:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572842:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572845:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572851:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572854:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572859:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572862:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572875:sdhci_access wr16: addr[0x000e] <- 0x0000846e (33902)
  OK
  [S +0.080979] OK
  [R +0.080991] write 0x1350600 0x1 0x29
  OK
  [S +0.081001] OK
  [R +0.081011] write 0x1350602 0x1 0x1a
  OK
  [S +0.081019] OK
  [R +0.081029] write 0x1350608 0x1 0x39
  OK
  [S +0.081037] OK
  [R +0.081045] clock_step
  752161@1598405049.572962:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572972:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572977:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572981:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572985:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572989:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572997:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.573001:sdhci_adma link: admasysaddr=0x0
  OK 100
  [S +0.081112] OK 100
  [R +0.081126] writeq 0xd7055d03 0x6d00000026000000
  752161@1598405049.573038:sdhci_access wr8: addr[0x0003] <- 0x00000000 (0)
  752161@1598405049.573045:sdhci_access wr32: addr[0x0004] <- 0x00260000 (2490368)
  752161@1598405049.573051:sdhci_access wr16: addr[0x0008] <- 0x00000000 (0)
  752161@1598405049.573057:sdhci_access wr8: addr[0x000a] <- 0x0000006d (109)
  OK
  [S +0.081162] OK
  [R +0.081171] clock_step
  752161@1598405049.573085:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.573090:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.573096:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  =================================================================
  ==752161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500001e500 at pc 0x5651bce1a940 bp 0x7fff16a81f50 sp 0x7fff16a81718
  WRITE of size 786432 at 0x61500001e500 thread T0
      #0 0x5651bce1a93f in __asan_memcpy (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f)
      #1 0x5651bf4197ce in flatview_read_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3246:13
      #2 0x5651bf41bff3 in flatview_read /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3279:12
      #3 0x5651bf41bb48 in address_space_read_full /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3292:18
      #4 0x5651bf41cce8 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3320:16
      #5 0x5651bd623b67 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18
      #6 0x5651bd623585 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12
      #7 0x5651bd6227b7 in dma_memory_read /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:116:12
      #8 0x5651bd61b052 in sdhci_do_adma /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:792:21
      #9 0x5651bd60d3c4 in sdhci_data_transfer /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:887:13
      #10 0x5651c0c4d917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9
      #11 0x5651c0c4de51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12
      #12 0x5651bf562a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9
      #13 0x5651bf74f5d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9
      #14 0x5651bf73d63e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
      #15 0x5651bf73c3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
      #16 0x5651c0842762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
      #17 0x5651c08428aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
      #18 0x5651c0868514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
      #19 0x5651c0754736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
      #20 0x7fac88fad4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
      #21 0x5651c0cdfc67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
      #22 0x5651c0cdd567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
      #23 0x5651c0cdcf47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
      #24 0x5651bf4bb08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
      #25 0x5651bce4d51c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
      #26 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #27 0x5651bcda2cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

  0x61500001e500 is located 0 bytes to the right of 512-byte region [0x61500001e300,0x61500001e500)
  allocated by thread T0 here:
      #0 0x5651bce1b5b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
      #1 0x7fac88fb3210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
      #2 0x5651bd8cd222 in sdhci_pci_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci-pci.c:36:5
      #3 0x5651bd88c228 in pci_qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/pci/pci.c:2114:9
      #4 0x5651c07a4ec9 in device_set_realized /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:864:13
      #5 0x5651bfe384b8 in property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:2202:5
      #6 0x5651bfe2c1cf in object_property_set /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1349:5
      #7 0x5651bfe49471 in object_property_set_qobject /home/alxndr/Development/qemu/general-fuzz/build/../qom/qom-qobject.c:28:10
      #8 0x5651bfe2d890 in object_property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1416:15
      #9 0x5651c078cc64 in qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:379:12
      #10 0x5651bd8bd8cc in qdev_device_add /home/alxndr/Development/qemu/general-fuzz/build/../qdev-monitor.c:676:10
      #11 0x5651bf4e3e43 in device_init_func /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:2101:11
      #12 0x5651c0af71e4 in qemu_opts_foreach /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-option.c:1172:14
      #13 0x5651bf4cd04b in qemu_init /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:4384:5
      #14 0x5651bce4d517 in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:49:5
      #15 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f) in __asan_memcpy
  Shadow bytes around the buggy address:
    0x0c2a7fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffbca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==752161==ABORTING

  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892960/+subscriptions


^ permalink raw reply	[flat|nested] 21+ messages in thread

* [Bug 1892960] Re: Heap-overflow in flatview_read through sdhci_data_transfer
  2020-08-26  1:25 [Bug 1892960] [NEW] Heap-overflow in flatview_read through sdhci_data_transfer Alexander Bulekov
  2020-09-01 12:01 ` [Bug 1892960] " P J P
  2020-10-22 14:00 ` Philippe Mathieu-Daudé
@ 2020-12-10  9:04 ` Thomas Huth
  2 siblings, 0 replies; 21+ messages in thread
From: Thomas Huth @ 2020-12-10  9:04 UTC (permalink / raw)
  To: qemu-devel

Released with QEMU v5.2.0.

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892960

Title:
  Heap-overflow in flatview_read through sdhci_data_transfer

Status in QEMU:
  Fix Released

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./qemu-system-i386 -nodefaults \
  -device sdhci-pci,sd-spec-version=3 \
  -device sd-card,drive=mydrive \
  -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
  -nographic -qtest stdio -accel qtest 
  outl 0xcf8 0x80001010
  outl 0xcfc 0xd7055dba
  outl 0xcf8 0x80001003
  outl 0xcfc 0x86b1d733
  writeq 0xd7055d2b 0x84126e0ed7d7355e
  writeq 0xd7055d23 0x13bd7d7346e0129
  writeq 0xd7055d05 0x615bfb845e05c42c
  write 0x0 0x1 0x39
  write 0x5 0x1 0x06
  write 0x6 0x1 0x35
  write 0x7 0x1 0x01
  write 0x1350600 0x1 0x39
  writew 0xd7055d0e 0x846e
  write 0x1350600 0x1 0x29
  write 0x1350602 0x1 0x1a
  write 0x1350608 0x1 0x39
  clock_step
  writeq 0xd7055d03 0x6d00000026000000
  clock_step
  EOF

  The trace:

  [R +0.077745] outl 0xcf8 0x80001010
  OK
  [S +0.077773] OK
  [R +0.077792] outl 0xcfc 0xd7055dba
  OK
  [S +0.077813] OK
  [R +0.077826] outl 0xcf8 0x80001003
  OK
  [S +0.077835] OK
  [R +0.077846] outl 0xcfc 0x86b1d733
  OK
  [S +0.080186] OK
  [R +0.080204] writeq 0xd7055d2b 0x84126e0ed7d7355e
  752161@1598405049.572123:sdhci_access wr8: addr[0x002b] <- 0x0000005e (94)
  752161@1598405049.572133:sdhci_access wr32: addr[0x002c] <- 0x0ed7d735 (249026357)
  752161@1598405049.572142:sdhci_access wr16: addr[0x0030] <- 0x0000126e (4718)
  752161@1598405049.572150:sdhci_access wr8: addr[0x0032] <- 0x00000084 (132)
  OK
  [S +0.080255] OK
  [R +0.080267] writeq 0xd7055d23 0x13bd7d7346e0129
  752161@1598405049.572176:sdhci_error Non-sequential access to Buffer Data Port registeris prohibited

  752161@1598405049.572181:sdhci_access wr8: addr[0x0023] <- 0x00000029 (41)
  752161@1598405049.572187:sdhci_access wr32: addr[0x0024] <- 0xd7346e01 (3610537473)
  752161@1598405049.572193:sdhci_access wr16: addr[0x0028] <- 0x00003bd7 (15319)
  752161@1598405049.572200:sdhci_access wr8: addr[0x002a] <- 0x00000001 (1)
  OK
  [S +0.080303] OK
  [R +0.080316] writeq 0xd7055d05 0x615bfb845e05c42c
  752161@1598405049.572226:sdhci_access wr8: addr[0x0005] <- 0x0000002c (44)
  752161@1598405049.572233:sdhci_access wr16: addr[0x0006] <- 0x000005c4 (1476)
  752161@1598405049.572240:sdhci_access wr32: addr[0x0008] <- 0x5bfb845e (1543210078)
  752161@1598405049.572247:sdhci_access wr8: addr[0x000c] <- 0x00000061 (97)
  OK
  [S +0.080350] OK
  [R +0.080362] write 0x0 0x1 0x39
  OK
  [S +0.080606] OK
  [R +0.080617] write 0x5 0x1 0x06
  OK
  [S +0.080629] OK
  [R +0.080639] write 0x6 0x1 0x35
  OK
  [S +0.080648] OK
  [R +0.080657] write 0x7 0x1 0x01
  OK
  [S +0.080665] OK
  [R +0.080675] write 0x1350600 0x1 0x39
  OK
  [S +0.080863] OK
  [R +0.080875] writew 0xd7055d0e 0x846e
  752161@1598405049.572786:sdhci_send_command CMD132 ARG[0x5bfb845e]
  752161@1598405049.572810:sdhci_error timeout waiting for command response
  752161@1598405049.572822:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572827:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572833:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572837:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572842:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572845:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572851:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572854:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572859:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572862:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572875:sdhci_access wr16: addr[0x000e] <- 0x0000846e (33902)
  OK
  [S +0.080979] OK
  [R +0.080991] write 0x1350600 0x1 0x29
  OK
  [S +0.081001] OK
  [R +0.081011] write 0x1350602 0x1 0x1a
  OK
  [S +0.081019] OK
  [R +0.081029] write 0x1350608 0x1 0x39
  OK
  [S +0.081037] OK
  [R +0.081045] clock_step
  752161@1598405049.572962:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572972:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.572977:sdhci_adma link: admasysaddr=0x0
  752161@1598405049.572981:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.572985:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.572989:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  752161@1598405049.572997:sdhci_adma_loop addr=0x00000000, len=0, attr=0x39
  752161@1598405049.573001:sdhci_adma link: admasysaddr=0x0
  OK 100
  [S +0.081112] OK 100
  [R +0.081126] writeq 0xd7055d03 0x6d00000026000000
  752161@1598405049.573038:sdhci_access wr8: addr[0x0003] <- 0x00000000 (0)
  752161@1598405049.573045:sdhci_access wr32: addr[0x0004] <- 0x00260000 (2490368)
  752161@1598405049.573051:sdhci_access wr16: addr[0x0008] <- 0x00000000 (0)
  752161@1598405049.573057:sdhci_access wr8: addr[0x000a] <- 0x0000006d (109)
  OK
  [S +0.081162] OK
  [R +0.081171] clock_step
  752161@1598405049.573085:sdhci_adma_loop addr=0x01350600, len=0, attr=0x39
  752161@1598405049.573090:sdhci_adma link: admasysaddr=0x1350600
  752161@1598405049.573096:sdhci_adma_loop addr=0x00000000, len=26, attr=0x29
  =================================================================
  ==752161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500001e500 at pc 0x5651bce1a940 bp 0x7fff16a81f50 sp 0x7fff16a81718
  WRITE of size 786432 at 0x61500001e500 thread T0
      #0 0x5651bce1a93f in __asan_memcpy (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f)
      #1 0x5651bf4197ce in flatview_read_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3246:13
      #2 0x5651bf41bff3 in flatview_read /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3279:12
      #3 0x5651bf41bb48 in address_space_read_full /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3292:18
      #4 0x5651bf41cce8 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3320:16
      #5 0x5651bd623b67 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18
      #6 0x5651bd623585 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12
      #7 0x5651bd6227b7 in dma_memory_read /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:116:12
      #8 0x5651bd61b052 in sdhci_do_adma /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:792:21
      #9 0x5651bd60d3c4 in sdhci_data_transfer /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:887:13
      #10 0x5651c0c4d917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9
      #11 0x5651c0c4de51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12
      #12 0x5651bf562a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9
      #13 0x5651bf74f5d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9
      #14 0x5651bf73d63e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
      #15 0x5651bf73c3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
      #16 0x5651c0842762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
      #17 0x5651c08428aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
      #18 0x5651c0868514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
      #19 0x5651c0754736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
      #20 0x7fac88fad4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
      #21 0x5651c0cdfc67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
      #22 0x5651c0cdd567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
      #23 0x5651c0cdcf47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
      #24 0x5651bf4bb08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
      #25 0x5651bce4d51c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
      #26 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #27 0x5651bcda2cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

  0x61500001e500 is located 0 bytes to the right of 512-byte region [0x61500001e300,0x61500001e500)
  allocated by thread T0 here:
      #0 0x5651bce1b5b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
      #1 0x7fac88fb3210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
      #2 0x5651bd8cd222 in sdhci_pci_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci-pci.c:36:5
      #3 0x5651bd88c228 in pci_qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/pci/pci.c:2114:9
      #4 0x5651c07a4ec9 in device_set_realized /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:864:13
      #5 0x5651bfe384b8 in property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:2202:5
      #6 0x5651bfe2c1cf in object_property_set /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1349:5
      #7 0x5651bfe49471 in object_property_set_qobject /home/alxndr/Development/qemu/general-fuzz/build/../qom/qom-qobject.c:28:10
      #8 0x5651bfe2d890 in object_property_set_bool /home/alxndr/Development/qemu/general-fuzz/build/../qom/object.c:1416:15
      #9 0x5651c078cc64 in qdev_realize /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:379:12
      #10 0x5651bd8bd8cc in qdev_device_add /home/alxndr/Development/qemu/general-fuzz/build/../qdev-monitor.c:676:10
      #11 0x5651bf4e3e43 in device_init_func /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:2101:11
      #12 0x5651c0af71e4 in qemu_opts_foreach /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-option.c:1172:14
      #13 0x5651bf4cd04b in qemu_init /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:4384:5
      #14 0x5651bce4d517 in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:49:5
      #15 0x7fac887b6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2893f) in __asan_memcpy
  Shadow bytes around the buggy address:
    0x0c2a7fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffbca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==752161==ABORTING

  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892960/+subscriptions


^ permalink raw reply	[flat|nested] 21+ messages in thread

end of thread, other threads:[~2020-12-10  9:28 UTC | newest]

Thread overview: 21+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-26  1:25 [Bug 1892960] [NEW] Heap-overflow in flatview_read through sdhci_data_transfer Alexander Bulekov
2020-09-01 12:01 ` [Bug 1892960] " P J P
2020-10-22 14:00 ` Philippe Mathieu-Daudé
2020-12-10  9:04 ` Thomas Huth
2020-09-01 14:01 [PATCH 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width Philippe Mathieu-Daudé
2020-09-01 14:01 ` [PATCH 1/3] hw/sd/sdhci: Fix qemu_log_mask() format string Philippe Mathieu-Daudé
2020-09-01 14:01 ` [PATCH 2/3] hw/sd/sdhci: Document the datasheet used Philippe Mathieu-Daudé
2020-09-01 14:01 ` [PATCH 3/3] hw/sd/sdhci: Fix DMA Transfer Block Size field Philippe Mathieu-Daudé
2020-09-01 14:01   ` [Bug 1892960] " Philippe Mathieu-Daudé
2020-09-01 14:03   ` Philippe Mathieu-Daudé
2020-09-01 14:03     ` [Bug 1892960] " Philippe Mathieu-Daudé
2020-09-01 14:04 [PATCH v2 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width Philippe Mathieu-Daudé
2020-09-01 14:04 ` [PATCH v2 1/3] hw/sd/sdhci: Fix qemu_log_mask() format string Philippe Mathieu-Daudé
2020-09-01 17:51   ` Richard Henderson
2020-09-01 14:04 ` [PATCH v2 2/3] hw/sd/sdhci: Document the datasheet used Philippe Mathieu-Daudé
2020-09-01 17:51   ` Richard Henderson
2020-09-01 14:04 ` [PATCH v2 3/3] hw/sd/sdhci: Fix DMA Transfer Block Size field Philippe Mathieu-Daudé
2020-09-01 14:04   ` [Bug 1892960] " Philippe Mathieu-Daudé
2020-09-02 10:39   ` P J P
2020-09-10 14:49 ` [PATCH v2 0/3] hw/sd/sdhci: Fix DMA Transfer Block Size field width Alexander Bulekov
2020-09-18  8:27 ` Philippe Mathieu-Daudé

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.