From: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org, "Andrew Jeffery" <andrew@aj.id.au>,
"Bin Meng" <bin.meng@windriver.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Cédric Le Goater" <clg@kaod.org>,
"Joel Stanley" <joel@jms.id.au>
Subject: [RFC PATCH 02/10] hw/sd: Extract address_in_range() helper, log invalid accesses
Date: Thu, 24 Jun 2021 16:22:01 +0200 [thread overview]
Message-ID: <20210624142209.1193073-3-f4bug@amsat.org> (raw)
In-Reply-To: <20210624142209.1193073-1-f4bug@amsat.org>
Multiple commands have to check the address requested is valid.
Extract this code pattern as a new address_in_range() helper, and
log invalid accesses as guest errors.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/sd/sd.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 288ae059e3d..d71ec81c22a 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -937,6 +937,18 @@ static void sd_lock_command(SDState *sd)
sd->card_status &= ~CARD_IS_LOCKED;
}
+static bool address_in_range(SDState *sd, const char *desc,
+ uint64_t addr, uint32_t length)
+{
+ if (addr + length > sd->size) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s offset %lu > card %lu [%%%u]\n",
+ desc, addr, sd->size, length);
+ sd->card_status |= ADDRESS_ERROR;
+ return false;
+ }
+ return true;
+}
+
static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
{
qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n",
@@ -1226,8 +1238,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
switch (sd->state) {
case sd_transfer_state:
- if (addr + sd->blk_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
return sd_r1;
}
@@ -1272,8 +1283,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
switch (sd->state) {
case sd_transfer_state:
- if (addr + sd->blk_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
return sd_r1;
}
@@ -1333,8 +1343,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
switch (sd->state) {
case sd_transfer_state:
- if (addr >= sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
return sd_r1b;
}
@@ -1356,8 +1365,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
switch (sd->state) {
case sd_transfer_state:
- if (addr >= sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
return sd_r1b;
}
@@ -1832,8 +1840,8 @@ void sd_write_byte(SDState *sd, uint8_t value)
case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
if (sd->data_offset == 0) {
/* Start of the block - let's check the address is valid */
- if (sd->data_start + sd->blk_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
+ sd->data_start, sd->blk_len)) {
break;
}
if (sd->size <= SDSC_MAX_CAPACITY) {
@@ -2005,8 +2013,8 @@ uint8_t sd_read_byte(SDState *sd)
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
if (sd->data_offset == 0) {
- if (sd->data_start + io_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
+ if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
+ sd->data_start, io_len)) {
return 0x00;
}
BLK_READ_BLOCK(sd->data_start, io_len);
--
2.31.1
next prev parent reply other threads:[~2021-06-24 14:26 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-24 14:21 [RFC PATCH 00/10] hw/sd: Start splitting SD vs SPI protocols Philippe Mathieu-Daudé
2021-06-24 14:22 ` [RFC PATCH 01/10] hw/sd: When card is in wrong state, log which state it is Philippe Mathieu-Daudé
2021-06-25 7:27 ` Bin Meng
2021-06-24 14:22 ` Philippe Mathieu-Daudé [this message]
2021-06-25 7:27 ` [RFC PATCH 02/10] hw/sd: Extract address_in_range() helper, log invalid accesses Bin Meng
2021-06-24 14:22 ` [RFC PATCH 03/10] hw/sd: Move proto_name to SDProto structure Philippe Mathieu-Daudé
2021-06-25 7:27 ` Bin Meng
2021-06-28 7:27 ` Cédric Le Goater
2021-06-24 14:22 ` [RFC PATCH 04/10] hw/sd: Introduce sd_cmd_handler type Philippe Mathieu-Daudé
2021-06-25 13:46 ` Bin Meng
2021-06-28 7:29 ` Cédric Le Goater
2021-06-28 11:25 ` Philippe Mathieu-Daudé
2021-06-24 14:22 ` [RFC PATCH 05/10] hw/sd: Add sd_cmd_illegal() handler Philippe Mathieu-Daudé
2021-06-25 13:47 ` Bin Meng
2021-06-26 9:48 ` Philippe Mathieu-Daudé
2021-06-28 7:31 ` Cédric Le Goater
2021-06-24 14:22 ` [RFC PATCH 06/10] hw/sd: Add sd_cmd_unimplemented() handler Philippe Mathieu-Daudé
2021-06-25 13:49 ` Bin Meng
2021-06-25 17:17 ` Philippe Mathieu-Daudé
2021-06-26 3:31 ` Bin Meng
2021-06-26 9:43 ` Philippe Mathieu-Daudé
2021-06-24 14:22 ` [RFC PATCH 07/10] hw/sd: Add sd_cmd_GO_IDLE_STATE() handler Philippe Mathieu-Daudé
2021-06-25 13:49 ` Bin Meng
2021-06-24 14:22 ` [RFC PATCH 08/10] hw/sd: Add sd_cmd_SEND_OP_CMD() handler Philippe Mathieu-Daudé
2021-06-24 14:22 ` [RFC PATCH 09/10] hw/sd: Add sd_cmd_ALL_SEND_CID() handler Philippe Mathieu-Daudé
2021-06-25 13:50 ` Bin Meng
2021-06-24 14:22 ` [RFC PATCH 10/10] hw/sd: Add sd_cmd_SEND_RELATIVE_ADDR() handler Philippe Mathieu-Daudé
2021-06-25 13:51 ` Bin Meng
2021-06-28 7:54 ` [RFC PATCH 00/10] hw/sd: Start splitting SD vs SPI protocols Cédric Le Goater
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210624142209.1193073-3-f4bug@amsat.org \
--to=f4bug@amsat.org \
--cc=andrew@aj.id.au \
--cc=bin.meng@windriver.com \
--cc=clg@kaod.org \
--cc=joel@jms.id.au \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).