From patchwork Mon Apr 8 14:17:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 786917 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1101:b0:343:f27d:c44e with SMTP id z1csp1367776wrw; Mon, 8 Apr 2024 07:18:58 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXbJFIzy3IWbErfZwzzlKhCJLXvXTjbnSAPB2oT9fkYYFl8lmROOv/1Va6w/RDt83qSy0oHMjnkprzYZ77ptbnq X-Google-Smtp-Source: AGHT+IE/ggv3iOhelxw6ojxe164nPDSGqbr8OIdOemujyDuNfQ9pM4bW49RDUbD1sPNNvt6Pn+4R X-Received: by 2002:a05:6102:3e0b:b0:479:e8c7:3e60 with SMTP id j11-20020a0561023e0b00b00479e8c73e60mr6027471vsv.9.1712585937604; Mon, 08 Apr 2024 07:18:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712585937; cv=none; d=google.com; s=arc-20160816; b=VNK8ShMoI3AuxbuP6L2q5xcIOA+/rESNvxF5BRkW1NjKOjZFTgYd9L2N98RMtQeK5z x6ufmxdFUz4Ia87PLuAz8RE8BX7OGmWS65VWw4jAf6yE71+aGe8WjLV3n8vqffsl61El I16rhEIks8Kc1IMp2bMCD3MGMobm+EEmZNZbwNEB6l8P9nvMnB0uLAM62GfCgRskPZP2 BnCCfBZrGcIcKgx2xQhj5HQIO44Ntvn2xR3+yxTrPVELaH8yq6PuzAF+gvMKaC+ftZCQ gjXs0XrN7jzPVJO05EJ0hHoqvK6agqN/LEE/PKYd5OLG7sUGjpKQmczICL4zFajHK3kk TlzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=T0UPUS6B8fn4peMJtb8NBu9x0+Ma6yL7q2dFjDj2dHM=; fh=LhIg4xeJMfhn8J5sALeu9q5BmjwHpQJi8vkpEdZiS1M=; b=LpCWHAJgzaozQhKOlGwdQPM7NzSd3+2m9KkOkOr5E0PnxzlzdN03ayltkn+Pjat13q 2QQgWqlxMrVvLmIkE+57mT211NZ7toDeZhNV/3G+TEdrpF1AzWUT6Easr3I0lMKAj8bf RaHF2lGNHNwFJgx9DW+8NilLHRp7rj/NRRDcLzz7QuUFPMIbT06ldZr5f0IX9X+7D2Wh l1nWmCADjFZb/VtdUQa1MY1pSq+rizww79nGm3iELmXhm42DEWrR6CRtihqEg9ppF9b2 647NCehgA3veWqEX7HL8AdLnaxyUhkNU5PkAJmoL77S9m+xsUPKVr2QU4pIxnd1Gn+eS kQNw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LSeYys5B; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id ho11-20020a056102396b00b004732d20d4basi985050vsb.512.2024.04.08.07.18.57 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 08 Apr 2024 07:18:57 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LSeYys5B; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rtpon-0001ne-JL; Mon, 08 Apr 2024 10:17:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rtpoY-0001g5-P3 for qemu-devel@nongnu.org; Mon, 08 Apr 2024 10:17:39 -0400 Received: from mail-lj1-x231.google.com ([2a00:1450:4864:20::231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rtpoV-0002xV-VH for qemu-devel@nongnu.org; Mon, 08 Apr 2024 10:17:38 -0400 Received: by mail-lj1-x231.google.com with SMTP id 38308e7fff4ca-2d87660d5dbso22289361fa.3 for ; Mon, 08 Apr 2024 07:17:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712585852; x=1713190652; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T0UPUS6B8fn4peMJtb8NBu9x0+Ma6yL7q2dFjDj2dHM=; b=LSeYys5BGQu24Pq4BayAUEbiqv01yuxq4lUqsaQbLkMix6LVmTu2p41BqgfOpfyQNK ryjf6hS7tCxJP3SinRioCahtJ2itjMdHfl3iN0+N4r0cTQzJVanUDD5GC47BVirdBhIr iSUaIhiUQTPletkX5ujFGyn1bhrT4Kg8OLVhkCcgB2jJpS9siGwyJ7yrGfPUjOfKBp14 UsndyD1V0FMRQRvzFKQrVeIvz7SWbl2kjMLlZjM4j4tXKHnIPyhSlIq8SCsAMr189HkH mNraB6XgOCQioDADVuzlR7c/kFFqFsPVQ13bfJsVXnCMVCGjhyxzERZgKF/wg8MNORmO p4WA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712585852; x=1713190652; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T0UPUS6B8fn4peMJtb8NBu9x0+Ma6yL7q2dFjDj2dHM=; b=Td66TJgS73Kd49iRnJjWw610kMAHsuyuG6WHAVkgpIzao1RxCwEaY6F4Y+u7LEtSGg ThbClmbK98Zbjwxt3aHtAdJ5n8cK2MfmRL/SyYFdlVDPzXsedtCtRvUH2WDSuch8lXGA 8dP5Dy6BIZ13UjXygSqGjh0zXr7WhXNSeZ355TEw8GavEXYxLM8zXF60WynZhayoUR6Q SnfwzGpbvgu7Sr7MqtFeqO6rw0eOpX72GnYKN+TMwpr/zi3P/A5DMYnAiApy4ELbircw 9Z9t27zgcXrwTn7RpCruo8oXrEP98ltBTrL5ieI/4t9lKmxjHVqqLHuUQ+oiWiPZc7NI 6sng== X-Gm-Message-State: AOJu0YwJuom/lSsPqZjGWegP1/UYjJGNP/XvKcoBxysPNxbAn1AgH1f3 pDQcZmKIC8/OuLy4+F8WZHAhFCEZfyt3byq2UhYbltbwKhW0E1a9PtvbBGOxCbBC6e3pvLz7aH/ P X-Received: by 2002:a05:6512:4896:b0:516:d250:86bd with SMTP id eq22-20020a056512489600b00516d25086bdmr5722907lfb.44.1712585852562; Mon, 08 Apr 2024 07:17:32 -0700 (PDT) Received: from m1x-phil.lan ([176.176.144.67]) by smtp.gmail.com with ESMTPSA id h1-20020a0564020e8100b005682a0e915fsm4138014eda.76.2024.04.08.07.17.31 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 08 Apr 2024 07:17:32 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Bin Meng , qemu-arm@nongnu.org, =?utf-8?q?Philip?= =?utf-8?q?pe_Mathieu-Daud=C3=A9?= , Alexander Bulekov , qemu-block@nongnu.org Subject: [PATCH-for-9.1 2/2] hw/sd/sdcard: Assert @data_offset is in range Date: Mon, 8 Apr 2024 16:17:17 +0200 Message-ID: <20240408141717.66154-3-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240408141717.66154-1-philmd@linaro.org> References: <20240408141717.66154-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::231; envelope-from=philmd@linaro.org; helo=mail-lj1-x231.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org Prevent out-of-bound access with assertions. Signed-off-by: Philippe Mathieu-Daudé --- hw/sd/sd.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 16d8d52a78..c081211582 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1875,6 +1875,7 @@ void sd_write_byte(SDState *sd, uint8_t value) sd->current_cmd, value); switch (sd->current_cmd) { case 24: /* CMD24: WRITE_SINGLE_BLOCK */ + assert(sd->data_offset < sizeof(sd->data)); sd->data[sd->data_offset ++] = value; if (sd->data_offset >= sd->blk_len) { /* TODO: Check CRC before committing */ @@ -1901,6 +1902,7 @@ void sd_write_byte(SDState *sd, uint8_t value) } } } + assert(sd->data_offset < sizeof(sd->data)); sd->data[sd->data_offset++] = value; if (sd->data_offset >= sd->blk_len) { /* TODO: Check CRC before committing */ @@ -1925,6 +1927,7 @@ void sd_write_byte(SDState *sd, uint8_t value) break; case 26: /* CMD26: PROGRAM_CID */ + assert(sd->data_offset < sizeof(sd->data)); sd->data[sd->data_offset ++] = value; if (sd->data_offset >= sizeof(sd->cid)) { /* TODO: Check CRC before committing */ @@ -1944,6 +1947,7 @@ void sd_write_byte(SDState *sd, uint8_t value) break; case 27: /* CMD27: PROGRAM_CSD */ + assert(sd->data_offset < sizeof(sd->data)); sd->data[sd->data_offset ++] = value; if (sd->data_offset >= sizeof(sd->csd)) { /* TODO: Check CRC before committing */ @@ -1968,6 +1972,7 @@ void sd_write_byte(SDState *sd, uint8_t value) break; case 42: /* CMD42: LOCK_UNLOCK */ + assert(sd->data_offset < sizeof(sd->data)); sd->data[sd->data_offset ++] = value; if (sd->data_offset >= sd->blk_len) { /* TODO: Check CRC before committing */ @@ -1979,6 +1984,7 @@ void sd_write_byte(SDState *sd, uint8_t value) break; case 56: /* CMD56: GEN_CMD */ + assert(sd->data_offset < sizeof(sd->data)); sd->data[sd->data_offset ++] = value; if (sd->data_offset >= sd->blk_len) { APP_WRITE_BLOCK(sd->data_start, sd->data_offset); @@ -2046,6 +2052,7 @@ uint8_t sd_read_byte(SDState *sd) break; case 13: /* ACMD13: SD_STATUS */ + assert(sd->data_offset < sizeof(sd->sd_status)); ret = sd->sd_status[sd->data_offset ++]; if (sd->data_offset >= sizeof(sd->sd_status)) @@ -2055,6 +2062,7 @@ uint8_t sd_read_byte(SDState *sd) case 17: /* CMD17: READ_SINGLE_BLOCK */ if (sd->data_offset == 0) BLK_READ_BLOCK(sd->data_start, io_len); + assert(sd->data_offset < sizeof(sd->data)); ret = sd->data[sd->data_offset ++]; if (sd->data_offset >= io_len) @@ -2069,6 +2077,7 @@ uint8_t sd_read_byte(SDState *sd) } BLK_READ_BLOCK(sd->data_start, io_len); } + assert(sd->data_offset < sizeof(sd->data)); ret = sd->data[sd->data_offset ++]; if (sd->data_offset >= io_len) { @@ -2089,10 +2098,12 @@ uint8_t sd_read_byte(SDState *sd) if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) { sd->state = sd_transfer_state; } + assert(sd->data_offset < sizeof(sd_tuning_block_pattern)); ret = sd_tuning_block_pattern[sd->data_offset++]; break; case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ + assert(sd->data_offset < sizeof(sd->sd_status)); ret = sd->data[sd->data_offset ++]; if (sd->data_offset >= 4) @@ -2100,6 +2111,7 @@ uint8_t sd_read_byte(SDState *sd) break; case 30: /* CMD30: SEND_WRITE_PROT */ + assert(sd->data_offset < sizeof(sd->data)); ret = sd->data[sd->data_offset ++]; if (sd->data_offset >= 4) @@ -2107,6 +2119,7 @@ uint8_t sd_read_byte(SDState *sd) break; case 51: /* ACMD51: SEND_SCR */ + assert(sd->data_offset < sizeof(sd->scr)); ret = sd->scr[sd->data_offset ++]; if (sd->data_offset >= sizeof(sd->scr)) @@ -2116,6 +2129,7 @@ uint8_t sd_read_byte(SDState *sd) case 56: /* CMD56: GEN_CMD */ if (sd->data_offset == 0) APP_READ_BLOCK(sd->data_start, sd->blk_len); + assert(sd->data_offset < sizeof(sd->data)); ret = sd->data[sd->data_offset ++]; if (sd->data_offset >= sd->blk_len)