* [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups
@ 2020-06-26 16:28 Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 01/14] MAINTAINERS: Cc qemu-block mailing list Philippe Mathieu-Daudé
` (16 more replies)
0 siblings, 17 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, Philippe Mathieu-Daudé, qemu-block
Patches 5 & 6 fix CVE-2020-13253.
The rest are (accumulated) cleanups.
Missing review:
[PATCH 01/14] MAINTAINERS: Cc qemu-block mailing list
[PATCH 03/14] hw/sd/sdcard: Move some definitions to use them earlier
[PATCH 04/14] hw/sd/sdcard: Use the HWBLOCK_SIZE definition
[PATCH 05/14] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
[PATCH 07/14] hw/sd/sdcard: Check address is in range
[PATCH 11/14] hw/sd/sdcard: Make iolen unsigned
[PATCH 12/14] hw/sd/sdcard: Correctly display the command name in trace events
$ git backport-diff -u v3
Key:
[----] : patches are identical
[####] : number of functional differences between upstream/downstream patch
[down] : patch is downstream-only
The flags [FC] indicate (F)unctional and (C)ontextual differences, respectively
001/14:[----] [--] 'MAINTAINERS: Cc qemu-block mailing list'
002/14:[----] [--] 'hw/sd/sdcard: Update coding style to make checkpatch.pl happy'
003/14:[down] 'hw/sd/sdcard: Move some definitions to use them earlier'
004/14:[down] 'hw/sd/sdcard: Use the HWBLOCK_SIZE definition'
005/14:[0030] [FC] 'hw/sd/sdcard: Do not switch to ReceivingData if address is invalid'
006/14:[----] [--] 'hw/sd/sdcard: Restrict Class 6 commands to SCSD cards'
007/14:[down] 'hw/sd/sdcard: Check address is in range'
008/14:[----] [--] 'hw/sd/sdcard: Update the SDState documentation'
009/14:[----] [--] 'hw/sd/sdcard: Simplify cmd_valid_while_locked()'
010/14:[----] [--] 'hw/sd/sdcard: Constify sd_crc*()'s message argument'
011/14:[0004] [FC] 'hw/sd/sdcard: Make iolen unsigned'
012/14:[----] [-C] 'hw/sd/sdcard: Correctly display the command name in trace events'
013/14:[0004] [FC] 'hw/sd/sdcard: Display offset in read/write_data() trace events'
014/14:[----] [--] 'hw/sd/sdcard: Simplify realize() a bit'
Philippe Mathieu-Daudé (14):
MAINTAINERS: Cc qemu-block mailing list
hw/sd/sdcard: Update coding style to make checkpatch.pl happy
hw/sd/sdcard: Move some definitions to use them earlier
hw/sd/sdcard: Use the HWBLOCK_SIZE definition
hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
hw/sd/sdcard: Check address is in range
hw/sd/sdcard: Update the SDState documentation
hw/sd/sdcard: Simplify cmd_valid_while_locked()
hw/sd/sdcard: Constify sd_crc*()'s message argument
hw/sd/sdcard: Make iolen unsigned
hw/sd/sdcard: Correctly display the command name in trace events
hw/sd/sdcard: Display offset in read/write_data() trace events
hw/sd/sdcard: Simplify realize() a bit
hw/sd/sd.c | 139 +++++++++++++++++++++++++++++----------------
MAINTAINERS | 1 +
hw/sd/trace-events | 4 +-
3 files changed, 92 insertions(+), 52 deletions(-)
--
2.21.3
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH v4 01/14] MAINTAINERS: Cc qemu-block mailing list
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 02/14] hw/sd/sdcard: Update coding style to make checkpatch.pl happy Philippe Mathieu-Daudé
` (15 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Philippe Mathieu-Daudé, qemu-block, Paolo Bonzini
From: Philippe Mathieu-Daudé <philmd@redhat.com>
We forgot to include the qemu-block mailing list while adding
this section in commit 076a0fc32a7. Fix this.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
MAINTAINERS | 1 +
1 file changed, 1 insertion(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index 1b40446c73..d9695a2cb3 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1622,6 +1622,7 @@ F: hw/ssi/xilinx_*
SD (Secure Card)
M: Philippe Mathieu-Daudé <f4bug@amsat.org>
+L: qemu-block@nongnu.org
S: Odd Fixes
F: include/hw/sd/sd*
F: hw/sd/core.c
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 02/14] hw/sd/sdcard: Update coding style to make checkpatch.pl happy
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 01/14] MAINTAINERS: Cc qemu-block mailing list Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 03/14] hw/sd/sdcard: Move some definitions to use them earlier Philippe Mathieu-Daudé
` (14 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, Philippe Mathieu-Daudé, qemu-block
From: Philippe Mathieu-Daudé <philmd@redhat.com>
To make the next commit easier to review, clean this code first.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
hw/sd/sd.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 97a9d32964..cac8d7d828 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1170,8 +1170,9 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->data_start = addr;
sd->data_offset = 0;
- if (sd->data_start + sd->blk_len > sd->size)
+ if (sd->data_start + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
+ }
return sd_r1;
default:
@@ -1186,8 +1187,9 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->data_start = addr;
sd->data_offset = 0;
- if (sd->data_start + sd->blk_len > sd->size)
+ if (sd->data_start + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
+ }
return sd_r1;
default:
@@ -1232,12 +1234,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->data_offset = 0;
sd->blk_written = 0;
- if (sd->data_start + sd->blk_len > sd->size)
+ if (sd->data_start + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
- if (sd_wp_addr(sd, sd->data_start))
+ }
+ if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
- if (sd->csd[14] & 0x30)
+ }
+ if (sd->csd[14] & 0x30) {
sd->card_status |= WP_VIOLATION;
+ }
return sd_r1;
default:
@@ -1256,12 +1261,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->data_offset = 0;
sd->blk_written = 0;
- if (sd->data_start + sd->blk_len > sd->size)
+ if (sd->data_start + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
- if (sd_wp_addr(sd, sd->data_start))
+ }
+ if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
- if (sd->csd[14] & 0x30)
+ }
+ if (sd->csd[14] & 0x30) {
sd->card_status |= WP_VIOLATION;
+ }
return sd_r1;
default:
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 03/14] hw/sd/sdcard: Move some definitions to use them earlier
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 01/14] MAINTAINERS: Cc qemu-block mailing list Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 02/14] hw/sd/sdcard: Update coding style to make checkpatch.pl happy Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 04/14] hw/sd/sdcard: Use the HWBLOCK_SIZE definition Philippe Mathieu-Daudé
` (13 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Philippe Mathieu-Daudé,
Philippe Mathieu-Daudé,
qemu-block
Move some definitions to use them earlier.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index cac8d7d828..4816b4a462 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -80,6 +80,12 @@ enum SDCardStates {
sd_disconnect_state,
};
+#define HWBLOCK_SHIFT 9 /* 512 bytes */
+#define SECTOR_SHIFT 5 /* 16 kilobytes */
+#define WPGROUP_SHIFT 7 /* 2 megs */
+#define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
+#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
+
struct SDState {
DeviceState parent_obj;
@@ -367,12 +373,6 @@ static void sd_set_cid(SDState *sd)
sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
}
-#define HWBLOCK_SHIFT 9 /* 512 bytes */
-#define SECTOR_SHIFT 5 /* 16 kilobytes */
-#define WPGROUP_SHIFT 7 /* 2 megs */
-#define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
-#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
-
static const uint8_t sd_csd_rw_mask[16] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 04/14] hw/sd/sdcard: Use the HWBLOCK_SIZE definition
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (2 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 03/14] hw/sd/sdcard: Move some definitions to use them earlier Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 05/14] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid Philippe Mathieu-Daudé
` (12 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Philippe Mathieu-Daudé,
Philippe Mathieu-Daudé,
qemu-block
Replace the following different uses of the same value by
the same HWBLOCK_SIZE definition:
- 512 (magic value)
- 0x200 (magic value)
- 1 << HWBLOCK_SHIFT
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 4816b4a462..04451fdad2 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -81,6 +81,7 @@ enum SDCardStates {
};
#define HWBLOCK_SHIFT 9 /* 512 bytes */
+#define HWBLOCK_SIZE (1 << HWBLOCK_SHIFT)
#define SECTOR_SHIFT 5 /* 16 kilobytes */
#define WPGROUP_SHIFT 7 /* 2 megs */
#define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
@@ -129,7 +130,7 @@ struct SDState {
uint32_t blk_written;
uint64_t data_start;
uint32_t data_offset;
- uint8_t data[512];
+ uint8_t data[HWBLOCK_SIZE];
qemu_irq readonly_cb;
qemu_irq inserted_cb;
QEMUTimer *ocr_power_timer;
@@ -410,7 +411,7 @@ static void sd_set_csd(SDState *sd, uint64_t size)
((HWBLOCK_SHIFT << 6) & 0xc0);
sd->csd[14] = 0x00; /* File format group */
} else { /* SDHC */
- size /= 512 * KiB;
+ size /= HWBLOCK_SIZE * KiB;
size -= 1;
sd->csd[0] = 0x40;
sd->csd[1] = 0x0e;
@@ -574,7 +575,7 @@ static void sd_reset(DeviceState *dev)
sd->erase_start = 0;
sd->erase_end = 0;
sd->size = size;
- sd->blk_len = 0x200;
+ sd->blk_len = HWBLOCK_SIZE;
sd->pwd_len = 0;
sd->expecting_acmd = false;
sd->dat_lines = 0xf;
@@ -685,7 +686,7 @@ static const VMStateDescription sd_vmstate = {
VMSTATE_UINT32(blk_written, SDState),
VMSTATE_UINT64(data_start, SDState),
VMSTATE_UINT32(data_offset, SDState),
- VMSTATE_UINT8_ARRAY(data, SDState, 512),
+ VMSTATE_UINT8_ARRAY(data, SDState, HWBLOCK_SIZE),
VMSTATE_UNUSED_V(1, 512),
VMSTATE_BOOL(enable, SDState),
VMSTATE_END_OF_LIST()
@@ -754,8 +755,8 @@ static void sd_erase(SDState *sd)
if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
/* High capacity memory card: erase units are 512 byte blocks */
- erase_start *= 512;
- erase_end *= 512;
+ erase_start *= HWBLOCK_SIZE;
+ erase_end *= HWBLOCK_SIZE;
}
erase_start = sd_addr_to_wpnum(erase_start);
@@ -1149,7 +1150,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
case 16: /* CMD16: SET_BLOCKLEN */
switch (sd->state) {
case sd_transfer_state:
- if (req.arg > (1 << HWBLOCK_SHIFT)) {
+ if (req.arg > HWBLOCK_SIZE) {
sd->card_status |= BLOCK_LEN_ERROR;
} else {
trace_sdcard_set_blocklen(req.arg);
@@ -1961,7 +1962,7 @@ uint8_t sd_read_data(SDState *sd)
if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
return 0x00;
- io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
+ io_len = (sd->ocr & (1 << 30)) ? HWBLOCK_SIZE : sd->blk_len;
trace_sdcard_read_data(sd->proto_name,
sd_acmd_name(sd->current_cmd),
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 05/14] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (3 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 04/14] hw/sd/sdcard: Use the HWBLOCK_SIZE definition Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 06/14] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards Philippe Mathieu-Daudé
` (11 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Prasad J Pandit, qemu-block,
Philippe Mathieu-Daudé,
Alexander Bulekov, Philippe Mathieu-Daudé
Only move the state machine to ReceivingData if there is no
pending error. This avoids later OOB access while processing
commands queued.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.3 Data Read
Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
4.3.4 Data Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().
Fixes: CVE-2020-13253
Cc: Prasad J Pandit <pjp@fedoraproject.org>
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
v4: Only modify ADDRESS_ERROR, not WP_VIOLATION (pm215)
---
hw/sd/sd.c | 34 ++++++++++++++++++++++------------
1 file changed, 22 insertions(+), 12 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 04451fdad2..7e0d684aca 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1167,13 +1167,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
case 17: /* CMD17: READ_SINGLE_BLOCK */
switch (sd->state) {
case sd_transfer_state:
- sd->state = sd_sendingdata_state;
- sd->data_start = addr;
- sd->data_offset = 0;
if (sd->data_start + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
}
+
+ sd->state = sd_sendingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
return sd_r1;
default:
@@ -1184,13 +1186,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
switch (sd->state) {
case sd_transfer_state:
- sd->state = sd_sendingdata_state;
- sd->data_start = addr;
- sd->data_offset = 0;
if (sd->data_start + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
}
+
+ sd->state = sd_sendingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
return sd_r1;
default:
@@ -1230,14 +1234,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
+
+ if (sd->data_start + sd->blk_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+ }
+
sd->state = sd_receivingdata_state;
sd->data_start = addr;
sd->data_offset = 0;
sd->blk_written = 0;
- if (sd->data_start + sd->blk_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
- }
if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
}
@@ -1257,14 +1264,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
+
+ if (sd->data_start + sd->blk_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+ }
+
sd->state = sd_receivingdata_state;
sd->data_start = addr;
sd->data_offset = 0;
sd->blk_written = 0;
- if (sd->data_start + sd->blk_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
- }
if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
}
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 06/14] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (4 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 05/14] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 07/14] hw/sd/sdcard: Check address is in range Philippe Mathieu-Daudé
` (10 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Philippe Mathieu-Daudé,
Philippe Mathieu-Daudé,
qemu-block
Only SCSD cards support Class 6 (Block Oriented Write Protection)
commands.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.14 Command Functional Difference in Card Capacity Types
* Write Protected Group
SDHC and SDXC do not support write-protected groups. Issuing
CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 7e0d684aca..871c30a67f 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -922,6 +922,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->multi_blk_cnt = 0;
}
+ if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
+ /* Only Standard Capacity cards support class 6 commands */
+ return sd_illegal;
+ }
+
switch (req.cmd) {
/* Basic commands (Class 0 and Class 1) */
case 0: /* CMD0: GO_IDLE_STATE */
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 07/14] hw/sd/sdcard: Check address is in range
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (5 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 06/14] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 08/14] hw/sd/sdcard: Update the SDState documentation Philippe Mathieu-Daudé
` (9 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Philippe Mathieu-Daudé,
Philippe Mathieu-Daudé,
qemu-block
As a defense, assert if the requested address is out of the card area.
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 871c30a67f..0b606e9054 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -539,6 +539,8 @@ static void sd_response_r7_make(SDState *sd, uint8_t *response)
static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
{
+ assert(addr < sd->size);
+
return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
}
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 08/14] hw/sd/sdcard: Update the SDState documentation
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (6 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 07/14] hw/sd/sdcard: Check address is in range Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 09/14] hw/sd/sdcard: Simplify cmd_valid_while_locked() Philippe Mathieu-Daudé
` (8 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Philippe Mathieu-Daudé,
Philippe Mathieu-Daudé,
qemu-block
Add more descriptive comments to keep a clear separation
between static property vs runtime changeable.
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 0b606e9054..7d20f344bf 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -103,11 +103,14 @@ struct SDState {
uint32_t card_status;
uint8_t sd_status[64];
- /* Configurable properties */
+ /* Static properties */
+
uint8_t spec_version;
BlockBackend *blk;
bool spi;
+ /* Runtime changeables */
+
uint32_t mode; /* current card mode, one of SDCardModes */
int32_t state; /* current card state, one of SDCardStates */
uint32_t vhs;
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 09/14] hw/sd/sdcard: Simplify cmd_valid_while_locked()
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (7 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 08/14] hw/sd/sdcard: Update the SDState documentation Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 10/14] hw/sd/sdcard: Constify sd_crc*()'s message argument Philippe Mathieu-Daudé
` (7 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Philippe Mathieu-Daudé,
Philippe Mathieu-Daudé,
qemu-block
cmd_valid_while_locked() only needs to read SDRequest->cmd,
pass it directly and make it const.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 7d20f344bf..b887dce0e1 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1664,7 +1664,7 @@ static sd_rsp_type_t sd_app_command(SDState *sd,
return sd_illegal;
}
-static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
+static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
{
/* Valid commands in locked state:
* basic class (0)
@@ -1675,13 +1675,12 @@ static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
* Anything else provokes an "illegal command" response.
*/
if (sd->expecting_acmd) {
- return req->cmd == 41 || req->cmd == 42;
+ return cmd == 41 || cmd == 42;
}
- if (req->cmd == 16 || req->cmd == 55) {
+ if (cmd == 16 || cmd == 55) {
return 1;
}
- return sd_cmd_class[req->cmd] == 0
- || sd_cmd_class[req->cmd] == 7;
+ return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
}
int sd_do_command(SDState *sd, SDRequest *req,
@@ -1707,7 +1706,7 @@ int sd_do_command(SDState *sd, SDRequest *req,
}
if (sd->card_status & CARD_IS_LOCKED) {
- if (!cmd_valid_while_locked(sd, req)) {
+ if (!cmd_valid_while_locked(sd, req->cmd)) {
sd->card_status |= ILLEGAL_COMMAND;
sd->expecting_acmd = false;
qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 10/14] hw/sd/sdcard: Constify sd_crc*()'s message argument
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (8 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 09/14] hw/sd/sdcard: Simplify cmd_valid_while_locked() Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 11/14] hw/sd/sdcard: Make iolen unsigned Philippe Mathieu-Daudé
` (6 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Alistair Francis, Philippe Mathieu-Daudé,
qemu-block, Philippe Mathieu-Daudé
CRC functions don't modify the buffer argument,
make it const.
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index b887dce0e1..a0500f4551 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -255,11 +255,11 @@ static const int sd_cmd_class[SDMMC_CMD_MAX] = {
7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
};
-static uint8_t sd_crc7(void *message, size_t width)
+static uint8_t sd_crc7(const void *message, size_t width)
{
int i, bit;
uint8_t shift_reg = 0x00;
- uint8_t *msg = (uint8_t *) message;
+ const uint8_t *msg = (const uint8_t *)message;
for (i = 0; i < width; i ++, msg ++)
for (bit = 7; bit >= 0; bit --) {
@@ -271,11 +271,11 @@ static uint8_t sd_crc7(void *message, size_t width)
return shift_reg;
}
-static uint16_t sd_crc16(void *message, size_t width)
+static uint16_t sd_crc16(const void *message, size_t width)
{
int i, bit;
uint16_t shift_reg = 0x0000;
- uint16_t *msg = (uint16_t *) message;
+ const uint16_t *msg = (const uint16_t *)message;
width <<= 1;
for (i = 0; i < width; i ++, msg ++)
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 11/14] hw/sd/sdcard: Make iolen unsigned
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (9 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 10/14] hw/sd/sdcard: Constify sd_crc*()'s message argument Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 12/14] hw/sd/sdcard: Correctly display the command name in trace events Philippe Mathieu-Daudé
` (5 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, Philippe Mathieu-Daudé, qemu-block
From: Philippe Mathieu-Daudé <philmd@redhat.com>
I/O request length can not be negative.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
v4: Use uint32_t (pm215)
---
hw/sd/sd.c | 2 +-
hw/sd/trace-events | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index a0500f4551..8dd83c365c 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1967,7 +1967,7 @@ uint8_t sd_read_data(SDState *sd)
{
/* TODO: Append CRCs */
uint8_t ret;
- int io_len;
+ uint32_t io_len;
if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
return 0x00;
diff --git a/hw/sd/trace-events b/hw/sd/trace-events
index 5f09d32eb2..d0cd7c6ec4 100644
--- a/hw/sd/trace-events
+++ b/hw/sd/trace-events
@@ -52,7 +52,7 @@ sdcard_unlock(void) ""
sdcard_read_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
sdcard_write_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
sdcard_write_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint8_t value) "%s %20s/ CMD%02d value 0x%02x"
-sdcard_read_data(const char *proto, const char *cmd_desc, uint8_t cmd, int length) "%s %20s/ CMD%02d len %d"
+sdcard_read_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint32_t length) "%s %20s/ CMD%02d len %" PRIu32
sdcard_set_voltage(uint16_t millivolts) "%u mV"
# milkymist-memcard.c
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 12/14] hw/sd/sdcard: Correctly display the command name in trace events
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (10 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 11/14] hw/sd/sdcard: Make iolen unsigned Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 13/14] hw/sd/sdcard: Display offset in read/write_data() " Philippe Mathieu-Daudé
` (4 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Philippe Mathieu-Daudé,
Philippe Mathieu-Daudé,
qemu-block
Some ACMD were incorrectly displayed. Fix by remembering if we
are processing a ACMD (with current_cmd_is_acmd) and add the
sd_current_cmd_name() helper, which display to correct name
regardless it is a CMD or ACMD.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 8dd83c365c..798a2346a7 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -125,6 +125,7 @@ struct SDState {
uint8_t pwd[16];
uint32_t pwd_len;
uint8_t function_group[6];
+ bool current_cmd_is_acmd;
uint8_t current_cmd;
/* True if we will handle the next command as an ACMD. Note that this does
* *not* track the APP_CMD status bit!
@@ -1704,6 +1705,8 @@ int sd_do_command(SDState *sd, SDRequest *req,
req->cmd);
req->cmd &= 0x3f;
}
+ sd->current_cmd = req->cmd;
+ sd->current_cmd_is_acmd = sd->expecting_acmd;
if (sd->card_status & CARD_IS_LOCKED) {
if (!cmd_valid_while_locked(sd, req->cmd)) {
@@ -1731,7 +1734,6 @@ int sd_do_command(SDState *sd, SDRequest *req,
/* Valid command, we can update the 'state before command' bits.
* (Do this now so they appear in r1 responses.)
*/
- sd->current_cmd = req->cmd;
sd->card_status &= ~CURRENT_STATE;
sd->card_status |= (last_state << 9);
}
@@ -1792,6 +1794,15 @@ send_response:
return rsplen;
}
+static const char *sd_current_cmd_name(SDState *sd)
+{
+ if (sd->current_cmd_is_acmd) {
+ return sd_acmd_name(sd->current_cmd);
+ } else {
+ return sd_cmd_name(sd->current_cmd);
+ }
+}
+
static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
{
trace_sdcard_read_block(addr, len);
@@ -1830,7 +1841,7 @@ void sd_write_data(SDState *sd, uint8_t value)
return;
trace_sdcard_write_data(sd->proto_name,
- sd_acmd_name(sd->current_cmd),
+ sd_current_cmd_name(sd),
sd->current_cmd, value);
switch (sd->current_cmd) {
case 24: /* CMD24: WRITE_SINGLE_BLOCK */
@@ -1984,7 +1995,7 @@ uint8_t sd_read_data(SDState *sd)
io_len = (sd->ocr & (1 << 30)) ? HWBLOCK_SIZE : sd->blk_len;
trace_sdcard_read_data(sd->proto_name,
- sd_acmd_name(sd->current_cmd),
+ sd_current_cmd_name(sd),
sd->current_cmd, io_len);
switch (sd->current_cmd) {
case 6: /* CMD6: SWITCH_FUNCTION */
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 13/14] hw/sd/sdcard: Display offset in read/write_data() trace events
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (11 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 12/14] hw/sd/sdcard: Correctly display the command name in trace events Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 14/14] hw/sd/sdcard: Simplify realize() a bit Philippe Mathieu-Daudé
` (3 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Philippe Mathieu-Daudé,
Philippe Mathieu-Daudé,
qemu-block
Having 'base address' and 'relative offset' displayed
separately is more helpful than the absolute address.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 8 ++++----
hw/sd/trace-events | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 798a2346a7..8fdee4ed56 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1841,8 +1841,8 @@ void sd_write_data(SDState *sd, uint8_t value)
return;
trace_sdcard_write_data(sd->proto_name,
- sd_current_cmd_name(sd),
- sd->current_cmd, value);
+ sd_current_cmd_name(sd), sd->current_cmd,
+ sd->data_start, sd->data_offset, value);
switch (sd->current_cmd) {
case 24: /* CMD24: WRITE_SINGLE_BLOCK */
sd->data[sd->data_offset ++] = value;
@@ -1995,8 +1995,8 @@ uint8_t sd_read_data(SDState *sd)
io_len = (sd->ocr & (1 << 30)) ? HWBLOCK_SIZE : sd->blk_len;
trace_sdcard_read_data(sd->proto_name,
- sd_current_cmd_name(sd),
- sd->current_cmd, io_len);
+ sd_current_cmd_name(sd), sd->current_cmd,
+ sd->data_start, sd->data_offset, io_len);
switch (sd->current_cmd) {
case 6: /* CMD6: SWITCH_FUNCTION */
ret = sd->data[sd->data_offset ++];
diff --git a/hw/sd/trace-events b/hw/sd/trace-events
index d0cd7c6ec4..946923223b 100644
--- a/hw/sd/trace-events
+++ b/hw/sd/trace-events
@@ -51,8 +51,8 @@ sdcard_lock(void) ""
sdcard_unlock(void) ""
sdcard_read_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
sdcard_write_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
-sdcard_write_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint8_t value) "%s %20s/ CMD%02d value 0x%02x"
-sdcard_read_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint32_t length) "%s %20s/ CMD%02d len %" PRIu32
+sdcard_write_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint64_t address, uint32_t offset, uint8_t value) "%s %20s/ CMD%02d addr 0x%" PRIx64 " ofs 0x%" PRIx32 " val 0x%02x"
+sdcard_read_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint64_t address, uint32_t offset, uint32_t length) "%s %20s/ CMD%02d addr 0x%" PRIx64 " ofs 0x%" PRIx32 " len %" PRIu32
sdcard_set_voltage(uint16_t millivolts) "%u mV"
# milkymist-memcard.c
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v4 14/14] hw/sd/sdcard: Simplify realize() a bit
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (12 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 13/14] hw/sd/sdcard: Display offset in read/write_data() " Philippe Mathieu-Daudé
@ 2020-06-26 16:28 ` Philippe Mathieu-Daudé
2020-06-26 16:30 ` [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (2 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:28 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Philippe Mathieu-Daudé,
Philippe Mathieu-Daudé,
qemu-block
We don't need to check if sd->blk is set twice.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 8fdee4ed56..46cd7c1aba 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -2140,12 +2140,12 @@ static void sd_realize(DeviceState *dev, Error **errp)
return;
}
- if (sd->blk && blk_is_read_only(sd->blk)) {
- error_setg(errp, "Cannot use read-only drive as SD card");
- return;
- }
-
if (sd->blk) {
+ if (blk_is_read_only(sd->blk)) {
+ error_setg(errp, "Cannot use read-only drive as SD card");
+ return;
+ }
+
ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
BLK_PERM_ALL, errp);
if (ret < 0) {
--
2.21.3
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (13 preceding siblings ...)
2020-06-26 16:28 ` [PATCH v4 14/14] hw/sd/sdcard: Simplify realize() a bit Philippe Mathieu-Daudé
@ 2020-06-26 16:30 ` Philippe Mathieu-Daudé
2020-06-26 16:51 ` no-reply
2020-06-26 16:54 ` no-reply
16 siblings, 0 replies; 18+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-26 16:30 UTC (permalink / raw)
To: qemu-devel@nongnu.org Developers
Cc: Peter Maydell, open list:Block layer core
On Fri, Jun 26, 2020 at 6:28 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> Patches 5 & 6 fix CVE-2020-13253.
> The rest are (accumulated) cleanups.
Wrong branch... sorry for the noise :/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (14 preceding siblings ...)
2020-06-26 16:30 ` [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
@ 2020-06-26 16:51 ` no-reply
2020-06-26 16:54 ` no-reply
16 siblings, 0 replies; 18+ messages in thread
From: no-reply @ 2020-06-26 16:51 UTC (permalink / raw)
To: f4bug; +Cc: peter.maydell, qemu-devel, qemu-block, f4bug
Patchew URL: https://patchew.org/QEMU/20200626162818.25840-1-f4bug@amsat.org/
Hi,
This series failed the docker-mingw@fedora build test. Please find the testing commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.
=== TEST SCRIPT BEGIN ===
#! /bin/bash
export ARCH=x86_64
make docker-image-fedora V=1 NETWORK=1
time make docker-test-mingw@fedora J=14 NETWORK=1
=== TEST SCRIPT END ===
from /tmp/qemu-test/src/include/qemu/osdep.h:126,
from /tmp/qemu-test/src/hw/sd/sd.c:33:
/tmp/qemu-test/src/hw/sd/sd.c: In function 'sd_addr_to_wpnum':
/tmp/qemu-test/src/hw/sd/sd.c:546:19: error: 'sd' undeclared (first use in this function); did you mean 'send'?
546 | assert(addr < sd->size);
| ^~
/usr/x86_64-w64-mingw32/sys-root/mingw/include/glib-2.0/glib/gmacros.h:928:8: note: in definition of macro '_G_BOOLEAN_EXPR'
---
/tmp/qemu-test/src/hw/sd/sd.c:546:5: note: in expansion of macro 'assert'
546 | assert(addr < sd->size);
| ^~~~~~
make: *** [/tmp/qemu-test/src/rules.mak:69: hw/sd/sd.o] Error 1
make: *** Waiting for unfinished jobs....
Traceback (most recent call last):
File "./tests/docker/docker.py", line 669, in <module>
---
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', '--label', 'com.qemu.instance.uuid=704d59d597a64bfdbe6aaf7e32fe45b0', '-u', '1003', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 'TARGET_LIST=', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=14', '-e', 'DEBUG=', '-e', 'SHOW_ENV=', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', '/home/patchew2/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', '/var/tmp/patchew-tester-tmp-smffcfw5/src/docker-src.2020-06-26-12.48.10.24057:/var/tmp/qemu:z,ro', 'qemu:fedora', '/var/tmp/qemu/run', 'test-mingw']' returned non-zero exit status 2.
filter=--filter=label=com.qemu.instance.uuid=704d59d597a64bfdbe6aaf7e32fe45b0
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-smffcfw5/src'
make: *** [docker-run-test-mingw@fedora] Error 2
real 3m3.444s
user 0m8.625s
The full log is available at
http://patchew.org/logs/20200626162818.25840-1-f4bug@amsat.org/testing.docker-mingw@fedora/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-devel@redhat.com
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
` (15 preceding siblings ...)
2020-06-26 16:51 ` no-reply
@ 2020-06-26 16:54 ` no-reply
16 siblings, 0 replies; 18+ messages in thread
From: no-reply @ 2020-06-26 16:54 UTC (permalink / raw)
To: f4bug; +Cc: peter.maydell, qemu-devel, qemu-block, f4bug
Patchew URL: https://patchew.org/QEMU/20200626162818.25840-1-f4bug@amsat.org/
Hi,
This series failed the docker-quick@centos7 build test. Please find the testing commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.
=== TEST SCRIPT BEGIN ===
#!/bin/bash
make docker-image-centos7 V=1 NETWORK=1
time make docker-test-quick@centos7 SHOW_ENV=1 J=14 NETWORK=1
=== TEST SCRIPT END ===
In file included from /tmp/qemu-test/src/include/qemu/osdep.h:101:0,
from /tmp/qemu-test/src/hw/sd/sd.c:33:
/tmp/qemu-test/src/hw/sd/sd.c: In function 'sd_addr_to_wpnum':
/tmp/qemu-test/src/hw/sd/sd.c:546:19: error: 'sd' undeclared (first use in this function)
assert(addr < sd->size);
^
/tmp/qemu-test/src/hw/sd/sd.c:546:19: note: each undeclared identifier is reported only once for each function it appears in
make: *** [hw/sd/sd.o] Error 1
make: *** Waiting for unfinished jobs....
Traceback (most recent call last):
File "./tests/docker/docker.py", line 669, in <module>
---
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', '--label', 'com.qemu.instance.uuid=ea6cded0171c4bc4bd3fe971fe0b86bb', '-u', '1003', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 'TARGET_LIST=', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=14', '-e', 'DEBUG=', '-e', 'SHOW_ENV=1', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', '/home/patchew2/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', '/var/tmp/patchew-tester-tmp-fvx14yef/src/docker-src.2020-06-26-12.52.48.1687:/var/tmp/qemu:z,ro', 'qemu:centos7', '/var/tmp/qemu/run', 'test-quick']' returned non-zero exit status 2.
filter=--filter=label=com.qemu.instance.uuid=ea6cded0171c4bc4bd3fe971fe0b86bb
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-fvx14yef/src'
make: *** [docker-run-test-quick@centos7] Error 2
real 2m10.002s
user 0m7.978s
The full log is available at
http://patchew.org/logs/20200626162818.25840-1-f4bug@amsat.org/testing.docker-quick@centos7/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-devel@redhat.com
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2020-06-26 17:05 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-26 16:28 [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 01/14] MAINTAINERS: Cc qemu-block mailing list Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 02/14] hw/sd/sdcard: Update coding style to make checkpatch.pl happy Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 03/14] hw/sd/sdcard: Move some definitions to use them earlier Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 04/14] hw/sd/sdcard: Use the HWBLOCK_SIZE definition Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 05/14] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 06/14] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 07/14] hw/sd/sdcard: Check address is in range Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 08/14] hw/sd/sdcard: Update the SDState documentation Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 09/14] hw/sd/sdcard: Simplify cmd_valid_while_locked() Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 10/14] hw/sd/sdcard: Constify sd_crc*()'s message argument Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 11/14] hw/sd/sdcard: Make iolen unsigned Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 12/14] hw/sd/sdcard: Correctly display the command name in trace events Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 13/14] hw/sd/sdcard: Display offset in read/write_data() " Philippe Mathieu-Daudé
2020-06-26 16:28 ` [PATCH v4 14/14] hw/sd/sdcard: Simplify realize() a bit Philippe Mathieu-Daudé
2020-06-26 16:30 ` [PATCH v4 00/14] hw/sd/sdcard: Fix CVE-2020-13253 & cleanups Philippe Mathieu-Daudé
2020-06-26 16:51 ` no-reply
2020-06-26 16:54 ` no-reply
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).