[PATCH 0/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)

[PATCH 0/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)

[Philippe Mathieu-Daudé]

Trivial fix for https://gitlab.com/qemu-project/qemu/-/issues/450

Missing review: patch #3

Philippe Mathieu-Daudé (3):
  hw/sd: When card is in wrong state, log which state it is
  hw/sd: Extract address_in_range() helper, log invalid accesses
  hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)

 hw/sd/sd.c                     | 40 ++++++++++++++-------
 tests/qtest/fuzz-sdcard-test.c | 66 ++++++++++++++++++++++++++++++++++
 MAINTAINERS                    |  3 +-
 tests/qtest/meson.build        |  1 +
 4 files changed, 96 insertions(+), 14 deletions(-)
 create mode 100644 tests/qtest/fuzz-sdcard-test.c

-- 
2.31.1

[PATCH 1/3] hw/sd: When card is in wrong state, log which state it is

[Philippe Mathieu-Daudé]

We report the card is in an inconsistent state, but don't precise
in which state it is. Add this information, as it is useful when
debugging problems.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210624142209.1193073-2-f4bug@amsat.org>
---
 hw/sd/sd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 282d39a7042..d8fdf84f4db 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1504,7 +1504,8 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
         return sd_illegal;
     }
 
-    qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
+    qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n",
+                  req.cmd, sd_state_name(sd->state));
     return sd_illegal;
 }
 
-- 
2.31.1

[PATCH 2/3] hw/sd: Extract address_in_range() helper, log invalid accesses

[Philippe Mathieu-Daudé]

Multiple commands have to check the address requested is valid.
Extract this code pattern as a new address_in_range() helper, and
log invalid accesses as guest errors.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210624142209.1193073-3-f4bug@amsat.org>
---
 hw/sd/sd.c | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index d8fdf84f4db..9c8dd11bad1 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -937,6 +937,18 @@ static void sd_lock_command(SDState *sd)
         sd->card_status &= ~CARD_IS_LOCKED;
 }
 
+static bool address_in_range(SDState *sd, const char *desc,
+                             uint64_t addr, uint32_t length)
+{
+    if (addr + length > sd->size) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s offset %lu > card %lu [%%%u]\n",
+                      desc, addr, sd->size, length);
+        sd->card_status |= ADDRESS_ERROR;
+        return false;
+    }
+    return true;
+}
+
 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 {
     uint32_t rca = 0x0000;
@@ -1218,8 +1230,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
         switch (sd->state) {
         case sd_transfer_state:
 
-            if (addr + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
                 return sd_r1;
             }
 
@@ -1264,8 +1275,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
         switch (sd->state) {
         case sd_transfer_state:
 
-            if (addr + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
                 return sd_r1;
             }
 
@@ -1325,8 +1335,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 
         switch (sd->state) {
         case sd_transfer_state:
-            if (addr >= sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
                 return sd_r1b;
             }
 
@@ -1348,8 +1357,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 
         switch (sd->state) {
         case sd_transfer_state:
-            if (addr >= sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
                 return sd_r1b;
             }
 
@@ -1826,8 +1834,8 @@ void sd_write_byte(SDState *sd, uint8_t value)
     case 25:	/* CMD25:  WRITE_MULTIPLE_BLOCK */
         if (sd->data_offset == 0) {
             /* Start of the block - let's check the address is valid */
-            if (sd->data_start + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
+                                  sd->data_start, sd->blk_len)) {
                 break;
             }
             if (sd->size <= SDSC_MAX_CAPACITY) {
@@ -1999,8 +2007,8 @@ uint8_t sd_read_byte(SDState *sd)
 
     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
         if (sd->data_offset == 0) {
-            if (sd->data_start + io_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
+                                  sd->data_start, io_len)) {
                 return 0x00;
             }
             BLK_READ_BLOCK(sd->data_start, io_len);
-- 
2.31.1

[PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)

[Philippe Mathieu-Daudé]

OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers an assertion:

  qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed.
  ==11578== ERROR: libFuzzer: deadly signal
  #8 0x7ffff628e091 in __assert_fail
  #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9
  #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38
  #11 0x5555588d777c in sd_do_command hw/sd/sd.c
  #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16
  #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12
  #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9
  #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5

Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check
for multi block reads"), check the address range before sending
the status of the write protection bits.

Include the qtest reproducer provided by Alexander Bulekov:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.

Reported-by: OSS-Fuzz (Issue 29225)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/sd/sd.c                     |  5 +++
 tests/qtest/fuzz-sdcard-test.c | 66 ++++++++++++++++++++++++++++++++++
 MAINTAINERS                    |  3 +-
 tests/qtest/meson.build        |  1 +
 4 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 tests/qtest/fuzz-sdcard-test.c

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 9c8dd11bad1..c753ae24ba9 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1379,6 +1379,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 
         switch (sd->state) {
         case sd_transfer_state:
+            if (!address_in_range(sd, "SEND_WRITE_PROT",
+                                  req.arg, sd->blk_len)) {
+                return sd_r1;
+            }
+
             sd->state = sd_sendingdata_state;
             *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
             sd->data_start = addr;
diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c
new file mode 100644
index 00000000000..96602eac7e5
--- /dev/null
+++ b/tests/qtest/fuzz-sdcard-test.c
@@ -0,0 +1,66 @@
+/*
+ * QTest fuzzer-generated testcase for sdcard device
+ *
+ * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "libqos/libqtest.h"
+
+/*
+ * https://gitlab.com/qemu-project/qemu/-/issues/450
+ * Used to trigger:
+ *  Assertion `wpnum < sd->wpgrps_size' failed.
+ */
+static void oss_fuzz_29225(void)
+{
+    QTestState *s;
+
+    s = qtest_init(" -display none -m 512m -nodefaults -nographic"
+                   " -device sdhci-pci,sd-spec-version=3"
+                   " -device sd-card,drive=d0"
+                   " -drive if=none,index=0,file=null-co://,format=raw,id=d0");
+
+    qtest_outl(s, 0xcf8, 0x80001010);
+    qtest_outl(s, 0xcfc, 0xd0690);
+    qtest_outl(s, 0xcf8, 0x80001003);
+    qtest_outl(s, 0xcf8, 0x80001013);
+    qtest_outl(s, 0xcfc, 0xffffffff);
+    qtest_outl(s, 0xcf8, 0x80001003);
+    qtest_outl(s, 0xcfc, 0x3effe00);
+
+    qtest_bufwrite(s, 0xff0d062c, "\xff", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\xb7", 0x1);
+    qtest_bufwrite(s, 0xff0d060a, "\xc9", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\x29", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\xc2", 0x1);
+    qtest_bufwrite(s, 0xff0d0628, "\xf7", 0x1);
+    qtest_bufwrite(s, 0x0, "\xe3", 0x1);
+    qtest_bufwrite(s, 0x7, "\x13", 0x1);
+    qtest_bufwrite(s, 0x8, "\xe3", 0x1);
+    qtest_bufwrite(s, 0xf, "\xe3", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\x03", 0x1);
+    qtest_bufwrite(s, 0xff0d0605, "\x01", 0x1);
+    qtest_bufwrite(s, 0xff0d060b, "\xff", 0x1);
+    qtest_bufwrite(s, 0xff0d060c, "\xff", 0x1);
+    qtest_bufwrite(s, 0xff0d060e, "\xff", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\x06", 0x1);
+    qtest_bufwrite(s, 0xff0d060f, "\x9e", 0x1);
+
+    qtest_quit(s);
+}
+
+int main(int argc, char **argv)
+{
+    const char *arch = qtest_get_arch();
+
+    g_test_init(&argc, &argv, NULL);
+
+   if (strcmp(arch, "i386") == 0) {
+        qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225);
+   }
+
+   return g_test_run();
+}
diff --git a/MAINTAINERS b/MAINTAINERS
index cfbf7ef79bc..fb33fe12200 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1794,7 +1794,8 @@ F: include/hw/sd/sd*
 F: hw/sd/core.c
 F: hw/sd/sd*
 F: hw/sd/ssi-sd.c
-F: tests/qtest/sd*
+F: tests/qtest/fuzz-sdcard-test.c
+F: tests/qtest/sdhci-test.c
 
 USB
 M: Gerd Hoffmann <kraxel@redhat.com>
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index b03e8541700..1bb75ee7324 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -21,6 +21,7 @@
   (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
   (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
   (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \
+  (config_all_devices.has_key('CONFIG_SDHCI_PCI') ? ['fuzz-sdcard-test'] : []) + \
   [
   'cdrom-test',
   'device-introspect-test',
-- 
2.31.1

Re: [PATCH 1/3] hw/sd: When card is in wrong state, log which state it is

[Alexander Bulekov]

On 210702 1758, Philippe Mathieu-Daudé wrote:
> We report the card is in an inconsistent state, but don't precise
> in which state it is. Add this information, as it is useful when
> debugging problems.
> 
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
> Message-Id: <20210624142209.1193073-2-f4bug@amsat.org>

Reviewed-by: Alexander Bulekov <alxndr@bu.edu>

> ---
>  hw/sd/sd.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 282d39a7042..d8fdf84f4db 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -1504,7 +1504,8 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
>          return sd_illegal;
>      }
>  
> -    qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
> +    qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n",
> +                  req.cmd, sd_state_name(sd->state));
>      return sd_illegal;
>  }
>  
> -- 
> 2.31.1
> 

Re: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)

[Alexander Bulekov]

On 210702 1759, Philippe Mathieu-Daudé wrote:
> OSS-Fuzz found sending illegal addresses when querying the write
> protection bits triggers an assertion:
> 
>   qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed.
>   ==11578== ERROR: libFuzzer: deadly signal
>   #8 0x7ffff628e091 in __assert_fail
>   #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9
>   #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38
>   #11 0x5555588d777c in sd_do_command hw/sd/sd.c
>   #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16
>   #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12
>   #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9
>   #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5
> 
> Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check
> for multi block reads"), check the address range before sending
> the status of the write protection bits.
> 
> Include the qtest reproducer provided by Alexander Bulekov:
> 
>   $ make check-qtest-i386
>   ...
>   Running test qtest-i386/fuzz-sdcard-test
>   qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.
> 
> Reported-by: OSS-Fuzz (Issue 29225)
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Reviewed-by: Alexander Bulekov <alxndr@bu.edu>

Thanks

> ---
>  hw/sd/sd.c                     |  5 +++
>  tests/qtest/fuzz-sdcard-test.c | 66 ++++++++++++++++++++++++++++++++++
>  MAINTAINERS                    |  3 +-
>  tests/qtest/meson.build        |  1 +
>  4 files changed, 74 insertions(+), 1 deletion(-)
>  create mode 100644 tests/qtest/fuzz-sdcard-test.c
> 
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 9c8dd11bad1..c753ae24ba9 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -1379,6 +1379,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
>  
>          switch (sd->state) {
>          case sd_transfer_state:
> +            if (!address_in_range(sd, "SEND_WRITE_PROT",
> +                                  req.arg, sd->blk_len)) {
> +                return sd_r1;
> +            }
> +
>              sd->state = sd_sendingdata_state;
>              *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
>              sd->data_start = addr;
> diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c
> new file mode 100644
> index 00000000000..96602eac7e5
> --- /dev/null
> +++ b/tests/qtest/fuzz-sdcard-test.c
> @@ -0,0 +1,66 @@
> +/*
> + * QTest fuzzer-generated testcase for sdcard device
> + *
> + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
> + *
> + * SPDX-License-Identifier: GPL-2.0-or-later
> + */
> +
> +#include "qemu/osdep.h"
> +#include "libqos/libqtest.h"
> +
> +/*
> + * https://gitlab.com/qemu-project/qemu/-/issues/450
> + * Used to trigger:
> + *  Assertion `wpnum < sd->wpgrps_size' failed.
> + */
> +static void oss_fuzz_29225(void)
> +{
> +    QTestState *s;
> +
> +    s = qtest_init(" -display none -m 512m -nodefaults -nographic"
> +                   " -device sdhci-pci,sd-spec-version=3"
> +                   " -device sd-card,drive=d0"
> +                   " -drive if=none,index=0,file=null-co://,format=raw,id=d0");
> +
> +    qtest_outl(s, 0xcf8, 0x80001010);
> +    qtest_outl(s, 0xcfc, 0xd0690);
> +    qtest_outl(s, 0xcf8, 0x80001003);
> +    qtest_outl(s, 0xcf8, 0x80001013);
> +    qtest_outl(s, 0xcfc, 0xffffffff);
> +    qtest_outl(s, 0xcf8, 0x80001003);
> +    qtest_outl(s, 0xcfc, 0x3effe00);
> +
> +    qtest_bufwrite(s, 0xff0d062c, "\xff", 0x1);
> +    qtest_bufwrite(s, 0xff0d060f, "\xb7", 0x1);
> +    qtest_bufwrite(s, 0xff0d060a, "\xc9", 0x1);
> +    qtest_bufwrite(s, 0xff0d060f, "\x29", 0x1);
> +    qtest_bufwrite(s, 0xff0d060f, "\xc2", 0x1);
> +    qtest_bufwrite(s, 0xff0d0628, "\xf7", 0x1);
> +    qtest_bufwrite(s, 0x0, "\xe3", 0x1);
> +    qtest_bufwrite(s, 0x7, "\x13", 0x1);
> +    qtest_bufwrite(s, 0x8, "\xe3", 0x1);
> +    qtest_bufwrite(s, 0xf, "\xe3", 0x1);
> +    qtest_bufwrite(s, 0xff0d060f, "\x03", 0x1);
> +    qtest_bufwrite(s, 0xff0d0605, "\x01", 0x1);
> +    qtest_bufwrite(s, 0xff0d060b, "\xff", 0x1);
> +    qtest_bufwrite(s, 0xff0d060c, "\xff", 0x1);
> +    qtest_bufwrite(s, 0xff0d060e, "\xff", 0x1);
> +    qtest_bufwrite(s, 0xff0d060f, "\x06", 0x1);
> +    qtest_bufwrite(s, 0xff0d060f, "\x9e", 0x1);
> +
> +    qtest_quit(s);
> +}
> +
> +int main(int argc, char **argv)
> +{
> +    const char *arch = qtest_get_arch();
> +
> +    g_test_init(&argc, &argv, NULL);
> +
> +   if (strcmp(arch, "i386") == 0) {
> +        qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225);
> +   }
> +
> +   return g_test_run();
> +}
> diff --git a/MAINTAINERS b/MAINTAINERS
> index cfbf7ef79bc..fb33fe12200 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -1794,7 +1794,8 @@ F: include/hw/sd/sd*
>  F: hw/sd/core.c
>  F: hw/sd/sd*
>  F: hw/sd/ssi-sd.c
> -F: tests/qtest/sd*
> +F: tests/qtest/fuzz-sdcard-test.c
> +F: tests/qtest/sdhci-test.c
>  
>  USB
>  M: Gerd Hoffmann <kraxel@redhat.com>
> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
> index b03e8541700..1bb75ee7324 100644
> --- a/tests/qtest/meson.build
> +++ b/tests/qtest/meson.build
> @@ -21,6 +21,7 @@
>    (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
>    (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
>    (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \
> +  (config_all_devices.has_key('CONFIG_SDHCI_PCI') ? ['fuzz-sdcard-test'] : []) + \
>    [
>    'cdrom-test',
>    'device-introspect-test',
> -- 
> 2.31.1
> 

Re: [PATCH 3/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)

[Bin Meng]

On Fri, Jul 2, 2021 at 11:59 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> OSS-Fuzz found sending illegal addresses when querying the write
> protection bits triggers an assertion:
>
>   qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed.
>   ==11578== ERROR: libFuzzer: deadly signal
>   #8 0x7ffff628e091 in __assert_fail
>   #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9
>   #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38
>   #11 0x5555588d777c in sd_do_command hw/sd/sd.c
>   #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16
>   #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12
>   #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9
>   #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5
>
> Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check
> for multi block reads"), check the address range before sending
> the status of the write protection bits.
>
> Include the qtest reproducer provided by Alexander Bulekov:
>
>   $ make check-qtest-i386
>   ...
>   Running test qtest-i386/fuzz-sdcard-test
>   qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.
>
> Reported-by: OSS-Fuzz (Issue 29225)
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  hw/sd/sd.c                     |  5 +++
>  tests/qtest/fuzz-sdcard-test.c | 66 ++++++++++++++++++++++++++++++++++
>  MAINTAINERS                    |  3 +-
>  tests/qtest/meson.build        |  1 +
>  4 files changed, 74 insertions(+), 1 deletion(-)
>  create mode 100644 tests/qtest/fuzz-sdcard-test.c
>

Reviewed-by: Bin Meng <bmeng.cn@gmail.com>

Re: [PATCH 0/3] hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)

[Philippe Mathieu-Daudé]

On 7/2/21 5:58 PM, Philippe Mathieu-Daudé wrote:
> Trivial fix for https://gitlab.com/qemu-project/qemu/-/issues/450
> 
> Missing review: patch #3
> 
> Philippe Mathieu-Daudé (3):
>   hw/sd: When card is in wrong state, log which state it is
>   hw/sd: Extract address_in_range() helper, log invalid accesses
>   hw/sd: Check for valid address range in SEND_WRITE_PROT (CMD30)

Thanks, series applied to sdmmc-next tree.