From patchwork Wed Apr 10 09:13:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 787501 Delivered-To: patch@linaro.org Received: by 2002:adf:fdd2:0:b0:346:15ad:a2a with SMTP id i18csp598674wrs; Wed, 10 Apr 2024 02:17:24 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVP/Tyqjl8zeoTPeyWT6MUqW9BXFusYv63wsp+kEVsUsAFF+RI4YNKPaE7jqZqcF32orTY85XWBQAQTGI8m4iR+ X-Google-Smtp-Source: AGHT+IHIkdk7MxvJmRx8gvEjKdx8eN7dmFQ4BgtW9hWSVIX/IxrZ66y+48wLzon9lZjoMZVDSiYe X-Received: by 2002:a05:6808:499:b0:3c3:c629:7226 with SMTP id z25-20020a056808049900b003c3c6297226mr1699970oid.41.1712740643954; Wed, 10 Apr 2024 02:17:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712740643; cv=none; d=google.com; s=arc-20160816; b=x5fnKy5uQOeAuI4KJT5ETwjhczlQF6b07T48iBpzOYnAHwHx9oBecb/NTK511Tf7PC 5DcerHsr4OmKxBimqBfAQU1CEpcp+luVKx2y2rr3/zZG+sGha7CZxXmhGBRJLJJVt3bG RSIUFzrRnCEZxm0RALn5+6vhduY26C1ShdbWEQpjpghsgBx/Mh79muMRBGgkv57zh5kQ 33D+0AH3D4qKsx27/J+9Al43/3tD2sNtmyLR6Kky86upbA2+sq+x/I3M2RcAUJ6z3kn2 8Hb98fisWYuUtxF7HQrl+CYGSBaD72rePdBlHbPKbXvgL+RwNIZCtlTHE6bNvYGpALOY Y7NA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wCXZmNcFjp1+/8lRg7QkohZUjPbpaL6S/D2zRFaEFPs=; fh=VJDymrXKNtHxzbhjZ3eaOOVHZDI9bKITOr8Fk1EMmq4=; b=XmG8+3tDtlnVhOdoJwus4Cfq3YgQn/Biw0tKAz+n4zLK07P6pZtYgvu81QAxNu/nVf Fv+D4SQC/2elLtwbeO1uHxif8OfcgAZUmnyyNh0cjgadfrPCotcFA22IHn9oOjBT3pmB m67qHambiyUbL3yGqjf0w5kZlZd4W4CYoD6rPwEbyEAhd9ei6azhp5g8/WZc+IzquE/x x3GVTtakKtT6sXRXV2YwclWYkyENsZXeJk6pL3rNCGRYNt/BCEY3r2wT0P8bfFSH9vEQ UPyKex0J1MhXuxSna24t8SyEyYUeSxTtHaXQSE4iV2GGLqBb49MhwpU53N7bYiMmjV7S vXZA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=VONmiBPM; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id x2-20020a05620a448200b0078d641dbe29si7366315qkp.447.2024.04.10.02.17.23 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 10 Apr 2024 02:17:23 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=VONmiBPM; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU37-0007Gz-KR; Wed, 10 Apr 2024 05:15:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU2t-0006yd-Ce for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:15:11 -0400 Received: from mail-ej1-x635.google.com ([2a00:1450:4864:20::635]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU2r-0005o8-4x for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:15:07 -0400 Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-a51abd0d7c2so685557366b.2 for ; Wed, 10 Apr 2024 02:15:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740503; x=1713345303; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wCXZmNcFjp1+/8lRg7QkohZUjPbpaL6S/D2zRFaEFPs=; b=VONmiBPM8ckmVn97zxWLC5SL7kA95Gte4hgMSB0BEcDeqRyJARILje1oCrvDD5I6lN O4ONdZuCrIKu91nj9hbcQDXamGAY4OZOnBLIp3lO1v1KTQnvy48pJQyDhFOQsP07bEJL +limsJYtru1E7TAnxYLV3P4UKZwRptJPymgqicQ71joC0iNS/aWFNR+ZUALrostTj2wv rpAmMqmNcIznm/nIOtq+mXUDja4j+HVGp3kE5lHKdIaYdAohqzbmcIZLxXwccel11qCT pYSUrUwYDpHGaFjU9zuB33n/RiuSFRjrdGRor15ihQw/L4TAefpY842fy2TQhw8g7bHb J4fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740503; x=1713345303; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wCXZmNcFjp1+/8lRg7QkohZUjPbpaL6S/D2zRFaEFPs=; b=tKMojVJO9LWyaHPCWhtC+npAtD/5c4Ro04YdaeAnRso3Y91DJgf8GIgqbfxdPYSJ0F FuqRbjS0dBYCG19WM4sGXNAZ7Xdo+wClwdBXI6KikEQ4D48QSg5Ooy9K4YlcjghtL4Iu Mwep7nuHB8TizlDS85SNASeg2jtJDP2Tom5JKOQHPLd5SyyB4L2DP+YnIyVRUrxpadlU kbTy0/UY9Of/YRlLa7ZD6OS9VQi8C98p1k8h7AZzfCUFcGf8BaRhdAp3r+xI+ha2AHSl dBb4tpJ9lRE7bPEi93o5tlAu9i1nEZWAbufCXmbctAZuKnzlIViIep6FPJ1oiDd/lWli mmkg== X-Gm-Message-State: AOJu0YyQKyR6ArPBKKZtmgTsoS4SkrB3QXGKjS8bPznGxMoexVGuD/t+ Jr/9F0cww2qu2Ek4N9S60y/BgeZa3LR9P1nGEjeGdoDj6xv/6aNGLIC2o2ZdHoakPI5d3VBh7eX M X-Received: by 2002:a17:906:c316:b0:a52:514:8ba3 with SMTP id s22-20020a170906c31600b00a5205148ba3mr1161618ejz.60.1712740503003; Wed, 10 Apr 2024 02:15:03 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id kh21-20020a170906f81500b00a51d073da7esm4090424ejb.82.2024.04.10.02.15.01 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:15:02 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Alexander Bulekov , Chuhong Yuan , Peter Maydell , Bin Meng , qemu-block@nongnu.org Subject: [PULL 14/16] hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set Date: Wed, 10 Apr 2024 11:13:13 +0200 Message-ID: <20240410091315.57241-15-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::635; envelope-from=philmd@linaro.org; helo=mail-ej1-x635.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org Per "SD Host Controller Standard Specification Version 3.00": * 2.2.5 Transfer Mode Register (Offset 00Ch) Writes to this register shall be ignored when the Command Inhibit (DAT) in the Present State register is 1. Do not update the TRNMOD register when Command Inhibit (DAT) bit is set to avoid the present-status register going out of sync, leading to malicious guest using DMA mode and overflowing the FIFO buffer: $ cat << EOF | qemu-system-i386 \ -display none -nographic -nodefaults \ -machine accel=qtest -m 512M \ -device sdhci-pci,sd-spec-version=3 \ -device sd-card,drive=mydrive \ -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \ -qtest stdio outl 0xcf8 0x80001013 outl 0xcfc 0x91 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0x9100002c 0x1 0x05 write 0x91000058 0x1 0x16 write 0x91000005 0x1 0x04 write 0x91000028 0x1 0x08 write 0x16 0x1 0x21 write 0x19 0x1 0x20 write 0x9100000c 0x1 0x01 write 0x9100000e 0x1 0x20 write 0x9100000f 0x1 0x00 write 0x9100000c 0x1 0x00 write 0x91000020 0x1 0x00 EOF Stack trace (part): ================================================================= ==89993==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000029900 at pc 0x55d5f885700d bp 0x7ffc1e1e9470 sp 0x7ffc1e1e9468 WRITE of size 1 at 0x615000029900 thread T0 #0 0x55d5f885700c in sdhci_write_dataport hw/sd/sdhci.c:564:39 #1 0x55d5f8849150 in sdhci_write hw/sd/sdhci.c:1223:13 #2 0x55d5fa01db63 in memory_region_write_accessor system/memory.c:497:5 #3 0x55d5fa01d245 in access_with_adjusted_size system/memory.c:573:18 #4 0x55d5fa01b1a9 in memory_region_dispatch_write system/memory.c:1521:16 #5 0x55d5fa09f5c9 in flatview_write_continue system/physmem.c:2711:23 #6 0x55d5fa08f78b in flatview_write system/physmem.c:2753:12 #7 0x55d5fa08f258 in address_space_write system/physmem.c:2860:18 ... 0x615000029900 is located 0 bytes to the right of 512-byte region [0x615000029700,0x615000029900) allocated by thread T0 here: #0 0x55d5f7237b27 in __interceptor_calloc #1 0x7f9e36dd4c50 in g_malloc0 #2 0x55d5f88672f7 in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5 #3 0x55d5f844b582 in pci_qdev_realize hw/pci/pci.c:2092:9 #4 0x55d5fa2ee74b in device_set_realized hw/core/qdev.c:510:13 #5 0x55d5fa325bfb in property_set_bool qom/object.c:2358:5 #6 0x55d5fa31ea45 in object_property_set qom/object.c:1472:5 #7 0x55d5fa332509 in object_property_set_qobject om/qom-qobject.c:28:10 #8 0x55d5fa31f6ed in object_property_set_bool qom/object.c:1541:15 #9 0x55d5fa2e2948 in qdev_realize hw/core/qdev.c:292:12 #10 0x55d5f8eed3f1 in qdev_device_add_from_qdict system/qdev-monitor.c:719:10 #11 0x55d5f8eef7ff in qdev_device_add system/qdev-monitor.c:738:11 #12 0x55d5f8f211f0 in device_init_func system/vl.c:1200:11 #13 0x55d5fad0877d in qemu_opts_foreach util/qemu-option.c:1135:14 #14 0x55d5f8f0df9c in qemu_create_cli_devices system/vl.c:2638:5 #15 0x55d5f8f0db24 in qmp_x_exit_preconfig system/vl.c:2706:5 #16 0x55d5f8f14dc0 in qemu_init system/vl.c:3737:9 ... SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:564:39 in sdhci_write_dataport Add assertions to ensure the fifo_buffer[] is not overflowed by malicious accesses to the Buffer Data Port register. Fixes: CVE-2024-3447 Cc: qemu-stable@nongnu.org Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller") Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 Reported-by: Alexander Bulekov Reported-by: Chuhong Yuan Signed-off-by: Peter Maydell Message-Id: Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20240409145524.27913-1-philmd@linaro.org> --- hw/sd/sdhci.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index c5e0bc018b..27673e1c70 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -473,6 +473,7 @@ static uint32_t sdhci_read_dataport(SDHCIState *s, unsigned size) } for (i = 0; i < size; i++) { + assert(s->data_count < s->buf_maxsz); value |= s->fifo_buffer[s->data_count] << i * 8; s->data_count++; /* check if we've read all valid data (blksize bytes) from buffer */ @@ -561,6 +562,7 @@ static void sdhci_write_dataport(SDHCIState *s, uint32_t value, unsigned size) } for (i = 0; i < size; i++) { + assert(s->data_count < s->buf_maxsz); s->fifo_buffer[s->data_count] = value & 0xFF; s->data_count++; value >>= 8; @@ -1208,6 +1210,12 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) if (!(s->capareg & R_SDHC_CAPAB_SDMA_MASK)) { value &= ~SDHC_TRNS_DMA; } + + /* TRNMOD writes are inhibited while Command Inhibit (DAT) is true */ + if (s->prnsts & SDHC_DATA_INHIBIT) { + mask |= 0xffff; + } + MASKED_WRITE(s->trnmod, mask, value & SDHC_TRNMOD_MASK); MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);