From patchwork Mon Jun 24 13:14:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 807037 Delivered-To: patch@linaro.org Received: by 2002:a5d:508d:0:b0:362:4979:7f74 with SMTP id a13csp1878495wrt; Mon, 24 Jun 2024 06:18:46 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUjz+cea6PD6PGt1D0W9GwtC8z0ORdubC4bTJZJQEe9zsM//m5AWlVkBwQv4OI1p72oL0WwgjzY3RWId+brbDfy X-Google-Smtp-Source: AGHT+IEHATdmh6O+VkZZDJoSRWNKYCpJvqOJ6LbHxTobCFYDqkDBWu2X1jtTFs4TKcp54cDgJcGC X-Received: by 2002:a05:622a:1491:b0:441:207b:51b4 with SMTP id d75a77b69052e-444d9226578mr51983161cf.63.1719235126100; Mon, 24 Jun 2024 06:18:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1719235126; cv=none; d=google.com; s=arc-20160816; b=K4grzHG2RbDwdBOytPb860DmPjxXxv15tpFi4jQyuu41DZDzFztoY/LxkWPuMWiFuG R93Rkwn8puL5N+3ITxIqdrxgupUqkm2MIV4HS3hL6tZ2cmd2rsPLA7KVMfW70MWq5aKm gfIIZKvHKPM5eO/RRjJjkkjlYTO9WnET3ekZgkc3nxKxWBASsAjJnzelNWVz/k35J0Mb rp5AY13Axz/dhGvmEPVyCvzRDpDo8ntHbSRjw4Vj86YSFePmQ67HIT3TNJ9t7nPvPfwt wZJWoQISFxQGJdqd4fdvWmo0W5K6ZfU9fJc3TN82c6yHDTn4IdapzxtTvH9rsW5Smn9Q cC/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aSK8hO4sLlN1hU/1KYxtFOH8CJir4+Yl/Ws4QmLQZLA=; fh=tt+3ECGW8cDEhVx2HU0Owtb2/5U3Hq1G+1swpphCm4g=; b=k5J6ScsUy/5/DRmq74YSrYbJCjoDiXtBr/NmskHwtHvkPuCnqBMrt4Z7GcuNvIMMvd afcCgnL8+YLTxsHkUy9sF+3X6ie9W9z3yYist8JD6IjjZ/Ymec0Z4WS0ELcomIVWCDJi CAHR+Hk+3wUAgxI509GvrRcw7TENtfsaMT9Mbk+iVXIsEujnm1Dajq6+Chtn6R3TEWhr a+0enGWixXSo2vFzUceP2n0hIwbwE9vireIAjVCApXRNzu8gXrDFehz2B1h6Dk18Ry3x hupgAdJce/+bSwe27iD4uNcG8xzlD5N3oWgyOgL5RiGf6vbmchOljS/TnxuIhf49fwzg Dq/g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=upOoYYP9; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id d75a77b69052e-444c2c9b3bbsi89746651cf.694.2024.06.24.06.18.45 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Jun 2024 06:18:46 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=upOoYYP9; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sLjXA-0001QL-1g; Mon, 24 Jun 2024 09:15:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sLjX8-0001Mo-BR for qemu-devel@nongnu.org; Mon, 24 Jun 2024 09:14:58 -0400 Received: from mail-wm1-x32d.google.com ([2a00:1450:4864:20::32d]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sLjX6-0004yd-Dj for qemu-devel@nongnu.org; Mon, 24 Jun 2024 09:14:58 -0400 Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-4217990f8baso37997685e9.2 for ; Mon, 24 Jun 2024 06:14:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719234894; x=1719839694; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aSK8hO4sLlN1hU/1KYxtFOH8CJir4+Yl/Ws4QmLQZLA=; b=upOoYYP9Vsy5BRy55w+Egr7n6iTSPcyii49ZI9cECZIr7UYB4jX4K9fRJKquQ7dH4l Lv7GZ082QeVTDCHKLxvO7R6MhR6zU++xlefFmfsIgml/TMXzhCU4lFKNYa+LDA6K8lWX Hg4ugob2kVrL4EDc8F65TsZ6+1xxTw0d8Omp7zd9psdTI9Z6OnebaDnQW1lVrPxsfPj2 MmcMiD4xQrDErVztytfU1fdTLbBjmrL8Dxt6dwr8Ip99PEqMnPsBPNY9tT089xO9ie56 q+YORExKpOR9g/thnBQjiwfoURbtmJNZC6LEZMg8W4D2/rHfzMlnXjfL+XSrzn26ZxYu 7OsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719234894; x=1719839694; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aSK8hO4sLlN1hU/1KYxtFOH8CJir4+Yl/Ws4QmLQZLA=; b=IWWiuT1z4bFEmZm4EnkTfwGN9ebqIPcD1p/8Q4kcbIE1ljPZ6VF01FYIfkyQQl7r2N u1IyIkU90SprB5zewLgp1+aA3TP87lJK3W3f0MHo8u0OcbkCxhLx9UOlU74MAuwlDQnS 5Ip/T+sqCSCY+1DxLjAAJWm7bmBzBopp1gfGr+rX3IGZU5I8mxNSs6d1DDvz/lGe58gb 3mUow2fxZmBXC1XorkEV4S8u+Yy5/8a4lGG1/XT2PUiMedAn7ybh6uomLLVfGTK0wVuz bQE3o4quYvQV8YGkCZlba+Y6OyH8A9EeiiJE+BjyJoTJi4GsAf7YhUAcsJpxA5WFIk4/ J78Q== X-Gm-Message-State: AOJu0YwmgGcoTsMNzZ8Q+ziZua8FMu433JQYajuP2ckDqP79qJx2pHE/ wYsumSlE2Sa5h/7sUujoKxRl68fyftoIz6nfo/9KXTift58gGKyMNeO0c5l7fc+LlCRuU0e/Z+y 8 X-Received: by 2002:a05:600c:818:b0:422:1163:4488 with SMTP id 5b1f17b1804b1-4248b9c9c5dmr35020065e9.25.1719234894569; Mon, 24 Jun 2024 06:14:54 -0700 (PDT) Received: from m1x-phil.lan (bd137-h02-176-184-46-22.dsl.sta.abo.bbox.fr. [176.184.46.22]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4247cf5272esm176765475e9.0.2024.06.24.06.14.53 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 24 Jun 2024 06:14:54 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Alexander Bulekov Subject: [PULL 02/19] hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch Date: Mon, 24 Jun 2024 15:14:23 +0200 Message-ID: <20240624131440.81111-3-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240624131440.81111-1-philmd@linaro.org> References: <20240624131440.81111-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::32d; envelope-from=philmd@linaro.org; helo=mail-wm1-x32d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org For multi-bytes commands, our implementation uses the @data_start and @data_offset fields to track byte access. We initialize the command start/offset in buffer once. Malicious guest might abuse by switching command while staying in the 'transfer' state, switching command buffer size, and our implementation can access out of buffer boundary. For example, CMD17 (READ_SINGLE_BLOCK) allows to read up to 512 bytes, and CMD13 (SEND_STATUS) up to 64 bytes. By switching from CMD17 to CMD13 (see reproducer below), bytes [64-511] are out of the 'status' buffer. Our implementation return R0 status code for unexpected commands. Such in-transaction command switch is unexpected and returns R0. This is a good place to reset the start/offset fields to avoid malicious accesses. Can be reproduced running: $ export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 $ cat << EOF | qemu-system-i386 \ -display none -nographic \ -machine accel=qtest -m 512M \ -nodefaults \ -device sdhci-pci,sd-spec-version=3 \ -device sd-card,drive=mydrive \ -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \ -qtest stdio -trace sd\* -trace -sdbus_read outl 0xcf8 0x80001010 outl 0xcfc 0xe0000000 outl 0xcf8 0x80001004 outw 0xcfc 0x02 write 0xe000002c 0x1 0x05 write 0xe000000f 0x1 0x37 write 0xe000000a 0x1 0x01 write 0xe000000f 0x1 0x29 write 0xe000000f 0x1 0x02 write 0xe000000f 0x1 0x03 write 0xe000000c 0x1 0x32 write 0xe000000f 0x1 0x06 write 0xe0000005 0x1 0x01 write 0xe0000007 0x1 0x01 write 0xe0000003 0x1 0x00 write 0xe000000f 0x1 0x11 write 0xe000002a 0x1 0x01 write 0xe000002a 0x1 0x02 write 0xe000000f 0x1 0x0d write 0xe000002a 0x1 0x01 write 0xe000002a 0x1 0x02 EOF hw/sd/sd.c:1984:15: runtime error: index 256 out of bounds for type 'uint8_t [64]' #0 sd_read_byte hw/sd/sd.c:1984:15 #1 sdbus_read_data hw/sd/core.c:157:23 #2 sdhci_read_block_from_card hw/sd/sdhci.c:423:9 #3 sdhci_blkgap_write hw/sd/sdhci.c:1074:13 #4 sdhci_write hw/sd/sdhci.c:1195:13 #5 memory_region_write_accessor softmmu/memory.c:492:5 #6 access_with_adjusted_size softmmu/memory.c:554:18 #7 memory_region_dispatch_write softmmu/memory.c #8 flatview_write_continue softmmu/physmem.c:2778:23 #9 flatview_write softmmu/physmem.c:2818:14 #10 address_space_write softmmu/physmem.c:2910:18 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hw/sd/sd.c:1984:15 Reported-by: Alexander Bulekov Resolves: https://gitlab.com/qemu-project/qemu/-/issues/487 Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36240 Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20240408141717.66154-2-philmd@linaro.org> --- hw/sd/sd.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 807b5d3de3..6a7a10501b 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1826,6 +1826,13 @@ send_response: break; case sd_r0: + /* + * Invalid state transition, reset implementation + * fields to avoid OOB abuse. + */ + sd->data_start = 0; + sd->data_offset = 0; + /* fall-through */ case sd_illegal: rsplen = 0; break;