qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org, "Andrew Jeffery" <andrew@aj.id.au>,
	"Bin Meng" <bin.meng@windriver.com>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	"Cédric Le Goater" <clg@kaod.org>,
	"Joel Stanley" <joel@jms.id.au>
Subject: [RFC PATCH 02/10] hw/sd: Extract address_in_range() helper, log invalid accesses
Date: Thu, 24 Jun 2021 16:22:01 +0200	[thread overview]
Message-ID: <20210624142209.1193073-3-f4bug@amsat.org> (raw)
In-Reply-To: <20210624142209.1193073-1-f4bug@amsat.org>

Multiple commands have to check the address requested is valid.
Extract this code pattern as a new address_in_range() helper, and
log invalid accesses as guest errors.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/sd/sd.c | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 288ae059e3d..d71ec81c22a 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -937,6 +937,18 @@ static void sd_lock_command(SDState *sd)
         sd->card_status &= ~CARD_IS_LOCKED;
 }
 
+static bool address_in_range(SDState *sd, const char *desc,
+                             uint64_t addr, uint32_t length)
+{
+    if (addr + length > sd->size) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s offset %lu > card %lu [%%%u]\n",
+                      desc, addr, sd->size, length);
+        sd->card_status |= ADDRESS_ERROR;
+        return false;
+    }
+    return true;
+}
+
 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
 {
     qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n",
@@ -1226,8 +1238,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
         switch (sd->state) {
         case sd_transfer_state:
 
-            if (addr + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
                 return sd_r1;
             }
 
@@ -1272,8 +1283,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
         switch (sd->state) {
         case sd_transfer_state:
 
-            if (addr + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
                 return sd_r1;
             }
 
@@ -1333,8 +1343,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 
         switch (sd->state) {
         case sd_transfer_state:
-            if (addr >= sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
                 return sd_r1b;
             }
 
@@ -1356,8 +1365,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 
         switch (sd->state) {
         case sd_transfer_state:
-            if (addr >= sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
                 return sd_r1b;
             }
 
@@ -1832,8 +1840,8 @@ void sd_write_byte(SDState *sd, uint8_t value)
     case 25:	/* CMD25:  WRITE_MULTIPLE_BLOCK */
         if (sd->data_offset == 0) {
             /* Start of the block - let's check the address is valid */
-            if (sd->data_start + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
+                                  sd->data_start, sd->blk_len)) {
                 break;
             }
             if (sd->size <= SDSC_MAX_CAPACITY) {
@@ -2005,8 +2013,8 @@ uint8_t sd_read_byte(SDState *sd)
 
     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
         if (sd->data_offset == 0) {
-            if (sd->data_start + io_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
+                                  sd->data_start, io_len)) {
                 return 0x00;
             }
             BLK_READ_BLOCK(sd->data_start, io_len);
-- 
2.31.1



  parent reply	other threads:[~2021-06-24 14:26 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-24 14:21 [RFC PATCH 00/10] hw/sd: Start splitting SD vs SPI protocols Philippe Mathieu-Daudé
2021-06-24 14:22 ` [RFC PATCH 01/10] hw/sd: When card is in wrong state, log which state it is Philippe Mathieu-Daudé
2021-06-25  7:27   ` Bin Meng
2021-06-24 14:22 ` Philippe Mathieu-Daudé [this message]
2021-06-25  7:27   ` [RFC PATCH 02/10] hw/sd: Extract address_in_range() helper, log invalid accesses Bin Meng
2021-06-24 14:22 ` [RFC PATCH 03/10] hw/sd: Move proto_name to SDProto structure Philippe Mathieu-Daudé
2021-06-25  7:27   ` Bin Meng
2021-06-28  7:27   ` Cédric Le Goater
2021-06-24 14:22 ` [RFC PATCH 04/10] hw/sd: Introduce sd_cmd_handler type Philippe Mathieu-Daudé
2021-06-25 13:46   ` Bin Meng
2021-06-28  7:29   ` Cédric Le Goater
2021-06-28 11:25     ` Philippe Mathieu-Daudé
2021-06-24 14:22 ` [RFC PATCH 05/10] hw/sd: Add sd_cmd_illegal() handler Philippe Mathieu-Daudé
2021-06-25 13:47   ` Bin Meng
2021-06-26  9:48     ` Philippe Mathieu-Daudé
2021-06-28  7:31   ` Cédric Le Goater
2021-06-24 14:22 ` [RFC PATCH 06/10] hw/sd: Add sd_cmd_unimplemented() handler Philippe Mathieu-Daudé
2021-06-25 13:49   ` Bin Meng
2021-06-25 17:17     ` Philippe Mathieu-Daudé
2021-06-26  3:31       ` Bin Meng
2021-06-26  9:43         ` Philippe Mathieu-Daudé
2021-06-24 14:22 ` [RFC PATCH 07/10] hw/sd: Add sd_cmd_GO_IDLE_STATE() handler Philippe Mathieu-Daudé
2021-06-25 13:49   ` Bin Meng
2021-06-24 14:22 ` [RFC PATCH 08/10] hw/sd: Add sd_cmd_SEND_OP_CMD() handler Philippe Mathieu-Daudé
2021-06-24 14:22 ` [RFC PATCH 09/10] hw/sd: Add sd_cmd_ALL_SEND_CID() handler Philippe Mathieu-Daudé
2021-06-25 13:50   ` Bin Meng
2021-06-24 14:22 ` [RFC PATCH 10/10] hw/sd: Add sd_cmd_SEND_RELATIVE_ADDR() handler Philippe Mathieu-Daudé
2021-06-25 13:51   ` Bin Meng
2021-06-28  7:54 ` [RFC PATCH 00/10] hw/sd: Start splitting SD vs SPI protocols Cédric Le Goater

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210624142209.1193073-3-f4bug@amsat.org \
    --to=f4bug@amsat.org \
    --cc=andrew@aj.id.au \
    --cc=bin.meng@windriver.com \
    --cc=clg@kaod.org \
    --cc=joel@jms.id.au \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).