From patchwork Tue Nov 8 18:33:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 622651 Delivered-To: patch@linaro.org Received: by 2002:a17:522:c983:b0:460:3032:e3c4 with SMTP id kr3csp3141605pvb; Tue, 8 Nov 2022 10:34:50 -0800 (PST) X-Google-Smtp-Source: AMsMyM41ypxyXCwVCsQeSF554Md5VSaelrkps2ioc5boOt+Jhku6QBlHdsIBZS48dg36TZ2kLJOT X-Received: by 2002:a05:620a:cd0:b0:6fa:27c8:c024 with SMTP id b16-20020a05620a0cd000b006fa27c8c024mr34135187qkj.189.1667932490314; Tue, 08 Nov 2022 10:34:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667932490; cv=none; d=google.com; s=arc-20160816; b=JjUhw+QvRcv0JsuHu2+SijPUrswSuDgrt0xyzolhurzAJbZV7ETGhWNsVrrZ9NOVhq gAZ9pSKaUy+mGSjWjyOv0dAO6lsWVdOPny+oNS9qgdaIa8pwUPfyPLnDs/1j5ALJzRn3 Z9TACSMy6DPEoSa3eDGrTXzGp0VP7niYStpPs2NB+NYSlLhoh49KpQBrlgjOnc2lH0rd RCAsiDIEG+gpWVyv8ClsKlQg6YgtvbsDkQZqeSCxPOJIxHSsSEgN5vSYmFAzb4fdLIRg tnQT7xn9VtrmeGxo9vtsk47dGM2O6GiH/WsohasjtlcAglEeMRS7Z9p9u2WQjQ/6b3+y vEPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rGHXHt6jWv/68MPAEtQJ82HuJNjHo7la3w/60XAsQbo=; b=jWNOps3WUkmz1rtf/1cCAf/3F8yMQhEmJStT9FyJ/XdwGcKlDGSIs8QIPL9JMoH2HE B+5Hs9svQe1245B+8+Xg1vvYPwZ0pyCr+ucQkyKg6Pf53FrH6N4Vpgmq3ghieQUmguuZ 4edxtUHe2RJTMW1hwRBXYCHqINiC83tEVT7jFq7T2ZlVYbt9rxwD7bgyk8KM4NDMM5pm LJyuKQsi0wjut2oqCJEC8/kzwUJDDjeHLbWD82Ywx/HYtKwdIWHP1+UeTGwPoiW86R2B OiA52eM+4fh7+R1ozatXM/4u86LGn4b3p6cXdz2Tgqw7Bhgiz77oaW8Gxk/IR2XjDHwX Rmiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FBkmyvb3; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id ay36-20020a05622a22a400b003a56be9bdcdsi7082312qtb.7.2022.11.08.10.34.50 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 08 Nov 2022 10:34:50 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FBkmyvb3; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1osTQG-0005G8-7s; Tue, 08 Nov 2022 13:34:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1osTQC-0005Ew-2u for qemu-devel@nongnu.org; Tue, 08 Nov 2022 13:34:04 -0500 Received: from mail-wr1-x432.google.com ([2a00:1450:4864:20::432]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1osTQA-0002HU-7n for qemu-devel@nongnu.org; Tue, 08 Nov 2022 13:34:03 -0500 Received: by mail-wr1-x432.google.com with SMTP id l14so22421394wrw.2 for ; Tue, 08 Nov 2022 10:34:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rGHXHt6jWv/68MPAEtQJ82HuJNjHo7la3w/60XAsQbo=; b=FBkmyvb378BdRsp5dH6Uxw6BGGU6Gqk5Ztlv6dIGVQnmVIwpfKfei5vAu88ZWMD+S9 55DSCH35Jk5wVugF5MICTANVnilJ7fjtu7m2Nvxc6g3LdTskt4oguy+7zCTZVnn/XTj/ eomrFG6UrCOwN6xK085oXsX738mW+M4wmQ4SIDYx8TALscp0/TRUbCy40d6U3+ShB8Oo qj9hQgF/dJe/EqGhuiRnBA2kpLp7wIUHhzKWQx+/Cuk+Nqibhr9noi6iiSgzPrVVucSi 7xeUrEjOQEQwLdp9UqNqqi/S6Zf7T0rHlBoUGVN6KY04z+4jxCBOY76xghf/Vck0cXjA trSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rGHXHt6jWv/68MPAEtQJ82HuJNjHo7la3w/60XAsQbo=; b=yLOQ8ieeYTRM4VnaeGhE3hN7MGpwMATk3357RlssJc4HP1egy/jnQzG3FSLCrs81ge xP1evq5hmfHdmhPYifjwiY1jJUlt4Yd/dei/Tix23/7eHeSpz4yt7JDE8wzTzSTBDLfx zXoZH7aXkqRIYpZpKULaieKVdPL1kXeC+wMT7pGLLVBjdq26i5fWFD4p/C2r0aGPiZYP c8ymAnsfnthhU95NpvvHQYVhylH+mJ084qMXu8T+om8wGqhVuWXjIasQYd2Vl/MWMa/P +XmIO5/2gFanKIlSVmiUJULIedOko+mW6S3+Kd9qETTYz8/caHfn1ENriJ84koUz/ulH x9Yw== X-Gm-Message-State: ACrzQf0oMMc7jiJxLC2sTCnKad8GjIk5hw5XYtn3ZN/1URO7RA/f1AUm kTMsf697UXu7FFUxRS/rDBROjEvvXtzZyA== X-Received: by 2002:a5d:5e84:0:b0:236:cdb8:c67f with SMTP id ck4-20020a5d5e84000000b00236cdb8c67fmr30531178wrb.159.1667932439475; Tue, 08 Nov 2022 10:33:59 -0800 (PST) Received: from localhost.localdomain ([185.126.107.38]) by smtp.gmail.com with ESMTPSA id m21-20020a7bca55000000b003c6c182bef9sm18158080wml.36.2022.11.08.10.33.58 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Tue, 08 Nov 2022 10:33:59 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Bin Meng , Hanna Reitz , David Hildenbrand , Kevin Wolf , qemu-block@nongnu.org, Peter Xu , Paolo Bonzini , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Zhenzhong Duan Subject: [PULL 1/3] memory: Fix wrong end address dump Date: Tue, 8 Nov 2022 19:33:50 +0100 Message-Id: <20221108183352.9466-2-philmd@linaro.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221108183352.9466-1-philmd@linaro.org> References: <20221108183352.9466-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::432; envelope-from=philmd@linaro.org; helo=mail-wr1-x432.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Zhenzhong Duan The end address of memory region section isn't correctly calculated which leads to overflowed mtree dump: Dispatch Physical sections ...... #70 @0000000000002000..0000000000011fff io [ROOT] #71 @0000000000005000..0000000000005fff (noname) #72 @0000000000005000..0000000000014fff io [ROOT] #73 @0000000000005658..0000000000005658 vmport #74 @0000000000005659..0000000000015658 io [ROOT] #75 @0000000000006000..0000000000015fff io [ROOT] After fix: #70 @0000000000002000..0000000000004fff io [ROOT] #71 @0000000000005000..0000000000005fff (noname) #72 @0000000000005000..0000000000005657 io [ROOT] #73 @0000000000005658..0000000000005658 vmport #74 @0000000000005659..0000000000005fff io [ROOT] #75 @0000000000006000..000000000000ffff io [ROOT] Fixes: 5e8fd947e2670 ("memory: Rework "info mtree" to print flat views and dispatch trees") Signed-off-by: Zhenzhong Duan Reviewed-by: David Hildenbrand Reviewed-by: Peter Xu Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20220622095912.3430583-1-zhenzhong.duan@intel.com> Signed-off-by: Philippe Mathieu-Daudé --- softmmu/physmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/softmmu/physmem.c b/softmmu/physmem.c index d9578ccfd4..1b606a3002 100644 --- a/softmmu/physmem.c +++ b/softmmu/physmem.c @@ -3712,7 +3712,7 @@ void mtree_print_dispatch(AddressSpaceDispatch *d, MemoryRegion *root) " %s%s%s%s%s", i, s->offset_within_address_space, - s->offset_within_address_space + MR_SIZE(s->mr->size), + s->offset_within_address_space + MR_SIZE(s->size), s->mr->name ? s->mr->name : "(noname)", i < ARRAY_SIZE(names) ? names[i] : "", s->mr == root ? " [ROOT]" : "", From patchwork Tue Nov 8 18:33:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 622652 Delivered-To: patch@linaro.org Received: by 2002:a17:522:c983:b0:460:3032:e3c4 with SMTP id kr3csp3141801pvb; Tue, 8 Nov 2022 10:35:05 -0800 (PST) X-Google-Smtp-Source: AMsMyM7pkBCXBoCxZTMzrQjfQKkdMCoasDhg3Dn2JtzWORQlAIlq1vGOH7xpn2C7e1HXB1/rePeq X-Received: by 2002:a05:620a:2221:b0:6ef:41a:185a with SMTP id n1-20020a05620a222100b006ef041a185amr39319219qkh.597.1667932505245; Tue, 08 Nov 2022 10:35:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667932505; cv=none; d=google.com; s=arc-20160816; b=AGwj5y9hegUq02h8R3tH/7c88M9x7MOc1BWiRhRnnExd84ZlIhfQSioNmVPqptkUm2 DM0+a46ZQahzkb7BX+Sa/OH/JvXbrQf9cPvn9RknVVZr0JD1YLmw4GkgeF4Npa6484ER t3CX7Hk5aN6+6i6YcZMZrCGZSO8RaBCHhnXKiz5PA6cUGxXwGab4ke9scGHivFgLKSDC v0BxXKrBfXLB7oRIYHgiAJSo1k2XslRSsrtCuU0g9RJloB5gPAUOlDqVjMM1PFdwxveC vaP6WYCTk+s2M4GLTH8sOx+im37ZzE3bGjzoIC5hzc4Rx3U51hxNDWstfE2BBR3oPEIv Vtlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BCjXnigQrezHvMbD6pi+K2YoWSCNKyXOSu5TkCCmKYE=; b=UQP7O0plpZGLPzL5UB5WfHRzYoDaD2FgpQWXIyrAnd9Vqaq2SKgq34j3b8gHfj7V8S /uc0LW1K9KN0b3eOkOl0dL74K03+p5XXypmiqOC4wKMe9GNKxObrnA7zlf57nEkKBrTm xXBY4hS4uXUYOgaIGuf7t8gtSTcrrwHHqul08240BGe3n5u7pIQeyPVPZFhfZLzfo3Af QyXExNKV9mCoWddQ8tp74V+FmRvzZkXuclpJKdNHJH7k2SlApqLTON3ui20ITfwo7+ng guV3Wanrg5pwlrCpURvCE5dF4wF9FwfkXhE4lKdyI5F+/sF5T9BFwrzOz3jx/wB5DjIA v/cw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=xupEfgp6; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id jt5-20020a05621427e500b004b171875070si6636505qvb.546.2022.11.08.10.35.05 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 08 Nov 2022 10:35:05 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=xupEfgp6; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1osTQP-0005J2-UW; Tue, 08 Nov 2022 13:34:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1osTQG-0005G9-7u for qemu-devel@nongnu.org; Tue, 08 Nov 2022 13:34:08 -0500 Received: from mail-wr1-x434.google.com ([2a00:1450:4864:20::434]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1osTQE-0002QX-GH for qemu-devel@nongnu.org; Tue, 08 Nov 2022 13:34:07 -0500 Received: by mail-wr1-x434.google.com with SMTP id k8so22426327wrh.1 for ; Tue, 08 Nov 2022 10:34:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BCjXnigQrezHvMbD6pi+K2YoWSCNKyXOSu5TkCCmKYE=; b=xupEfgp6Iy6lz8FlOT/3N+RRZmtkMyeuVwi4vV6lb5re9A+mtqETg6Uxf61sIG92bG k/cf97qXblfvWGhfwTB+6T5o2DJ7Z3oWXdVweTTmGRQsethcj2CZs6KenMcq0XwCrAzN O4zyT+J7E1Ur3pHcBoZfbX4xoF8t0hZLTwjjmi15b9WC/RSCxk6YkqF74fTzjXUmwBI7 1CyjYLVz7kakfmjZYHlPTbfo33DlLcJi7zL7Jpso1zJ4jM8GBDd6uPQjMY1omayj9uP0 vq76ZIXnmcP0RVPSvDHZlKh0E1+WPLlTCVDYObGJnVY2EDCzM0/Lj7EWCop32bicPT9H 6O4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BCjXnigQrezHvMbD6pi+K2YoWSCNKyXOSu5TkCCmKYE=; b=Q7PUJAv2nnYNoj9aZ0/37zqUFfr9sG8GvqpFZ7xk+2FEpoqRUAB2xTFadMw5L4Gn/z 7EoOvG+52jWAiintaZzG5mrWHIr0ye63/OoAbeafPOc0e3LqX4kknz+CejMl3AE9UZ36 UuJxNSIRdVch+nBAeI8dxFBEhpyDv8D2NfPUFaFb5RQzjndDSsx38skCd0j1hLGzmE4C k3CwYrH6WqhkvrVRd4NNBLWKkeYXTmJ7qzkBg+gUZXu5rqS5hZ80bMsQcBwBpMF6OoqZ Z0KwHi/HD/Y1gKxhrX9qTWqhSXpzzcY34f63cLLSXAUvjRD/4ncqwHlNvJOxsE5lr3MT 2ifQ== X-Gm-Message-State: ACrzQf1NEQXgDyBdaWhv1O+4bvaWu/kydqMVwVukii/7wiOE9eZrHbek QSpliKnELwlO5LbZ10wxoOk6oUJwUZER2Q== X-Received: by 2002:a5d:4910:0:b0:235:ab9b:33a2 with SMTP id x16-20020a5d4910000000b00235ab9b33a2mr36973557wrq.58.1667932444655; Tue, 08 Nov 2022 10:34:04 -0800 (PST) Received: from localhost.localdomain ([185.126.107.38]) by smtp.gmail.com with ESMTPSA id n41-20020a05600c502900b003c6c4639ac6sm12430513wmr.34.2022.11.08.10.34.03 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Tue, 08 Nov 2022 10:34:04 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Bin Meng , Hanna Reitz , David Hildenbrand , Kevin Wolf , qemu-block@nongnu.org, Peter Xu , Paolo Bonzini , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , RivenDell , Siqi Chen , ningqiang , Mauro Matteo Cascella Subject: [PULL 2/3] hw/sd/sdhci: Do not set Buf Wr Ena before writing block (CVE-2022-3872) Date: Tue, 8 Nov 2022 19:33:51 +0100 Message-Id: <20221108183352.9466-3-philmd@linaro.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221108183352.9466-1-philmd@linaro.org> References: <20221108183352.9466-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::434; envelope-from=philmd@linaro.org; helo=mail-wr1-x434.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org When sdhci_write_block_to_card() is called to transfer data from the FIFO to the SD bus, the data is already present in the buffer and we have to consume it directly. See the description of the 'Buffer Write Enable' bit from the 'Present State' register (prnsts::SDHC_SPACE_AVAILABLE) in Table 2.14 from the SDHCI spec v2: Buffer Write Enable This status is used for non-DMA write transfers. The Host Controller can implement multiple buffers to transfer data efficiently. This read only flag indicates if space is available for write data. If this bit is 1, data can be written to the buffer. A change of this bit from 1 to 0 occurs when all the block data is written to the buffer. A change of this bit from 0 to 1 occurs when top of block data can be written to the buffer and generates the Buffer Write Ready interrupt. In our case, we do not want to overwrite the buffer, so we want this bit to be 0, then set it to 1 once the data is written onto the bus. This is probably a copy/paste error from commit d7dfca0807 ("hw/sdhci: introduce standard SD host controller"). OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45986#c4 Reproducers: $ cat << EOF | \ qemu-system-x86_64 -nodefaults -display none -machine accel=qtest \ -m 512M -device sdhci-pci -device sd-card,drive=mydrive \ -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \ -nographic -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xe0000000 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0xe0000058 0x1 0x6e write 0xe0000059 0x1 0x5a write 0xe0000028 0x1 0x10 write 0xe000002c 0x1 0x05 write 0x5a6e 0x1 0x21 write 0x5a75 0x1 0x20 write 0xe0000005 0x1 0x02 write 0xe000000c 0x1 0x01 write 0xe000000e 0x1 0x20 write 0xe000000f 0x1 0x00 write 0xe000000c 0x1 0x00 write 0xe0000020 0x1 0x00 EOF or https://lore.kernel.org/qemu-devel/CAA8xKjXrmS0fkr28AKvNNpyAtM0y0B+5FichpsrhD+mUgnuyKg@mail.gmail.com/ Fixes: CVE-2022-3872 Reported-by: RivenDell Reported-by: Siqi Chen Reported-by: ningqiang Reported-by: ClusterFuzz Signed-off-by: Philippe Mathieu-Daudé Tested-by: Mauro Matteo Cascella Message-Id: <20221107221236.47841-2-philmd@linaro.org> --- hw/sd/sdhci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 306070c872..f230e7475f 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -954,7 +954,7 @@ static void sdhci_data_transfer(void *opaque) sdhci_read_block_from_card(s); } else { s->prnsts |= SDHC_DOING_WRITE | SDHC_DAT_LINE_ACTIVE | - SDHC_SPACE_AVAILABLE | SDHC_DATA_INHIBIT; + SDHC_DATA_INHIBIT; sdhci_write_block_to_card(s); } } From patchwork Tue Nov 8 18:33:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 622653 Delivered-To: patch@linaro.org Received: by 2002:a17:522:c983:b0:460:3032:e3c4 with SMTP id kr3csp3141916pvb; Tue, 8 Nov 2022 10:35:14 -0800 (PST) X-Google-Smtp-Source: AMsMyM6g7rn7dN0ko1QYCTjUCLX2DKSk7KPF9ZrteQyXlRU+EjTckJaOsk0hxOFkZR3rX0HRCkqp X-Received: by 2002:a37:8d06:0:b0:6f1:7aa:13c0 with SMTP id p6-20020a378d06000000b006f107aa13c0mr40231754qkd.68.1667932514550; Tue, 08 Nov 2022 10:35:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667932514; cv=none; d=google.com; s=arc-20160816; b=l27LwfrerCDMKWIetwCvtMeN2xvWp5nEpr1GOekhCJjfH+SdudfLEjN+Q5TT7y8+vH 45Ar1CW6Wuh/O2ekAtjakyFqdNu3KbUbf0kZUQLRDbfPSGdVRqZc0eJbxShFlt3sb49d Z8j+7LsbINLsWRpsVbcoqKjOzeOO1wvngCdGJpR92MB2/9jDyGekKcloyVZCahnwOYc7 FCdmCwNhgr/dKuYxT3bOs1Piff+hNYXG+zoPJ06DU3capmEXi7FWKT54v9VN7+QuQHRA 5L3CLNykwnVbPeLGn3J0SSs8GgIb87GbuhugjTplbxqxaxOnE1BVUkOzA7VgG2Mw1b6B zmRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=EaN4TB87K9SHwpGHJN/1lzTGk4djCbU5hJR52tyhIr4=; b=HlU8G2Mz2T0Efi4972ONWgqcz6AHT0a+pB/txpArOiwynQWuaQUs2TfKsQXfRgmv1E fxxRduqJPZ3cECCSekLLUFtcewcQBCF0exQ/SGvLIIX31iA6xXo5Dh+v0L37xHdEqqXq vrUr4KAShkn+aYQCLTVOJwJzvZp2QRALdtmLrVzp6TnEuNCDth7m2IKyo8RZjCyd2K3H FDsUYfvj2K30L53csAitIGxDGQN/BdeZm/pkwKDuNslu+/tRwQajPpe6hMhToofZMBaA e5P8gD79sHSvvRwApfi8q6pa9cH9uulb9GMglyuPthra+h+r88fSUoaW/Q+yq+aMeuJa zZ7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Yq+4pu0e; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id br22-20020a05622a1e1600b003a549411a20si7033645qtb.349.2022.11.08.10.35.14 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 08 Nov 2022 10:35:14 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Yq+4pu0e; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1osTQP-0005J1-U0; Tue, 08 Nov 2022 13:34:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1osTQL-0005Hv-5U for qemu-devel@nongnu.org; Tue, 08 Nov 2022 13:34:13 -0500 Received: from mail-wm1-x332.google.com ([2a00:1450:4864:20::332]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1osTQJ-0002Xh-Jp for qemu-devel@nongnu.org; Tue, 08 Nov 2022 13:34:12 -0500 Received: by mail-wm1-x332.google.com with SMTP id c3-20020a1c3503000000b003bd21e3dd7aso12314359wma.1 for ; Tue, 08 Nov 2022 10:34:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EaN4TB87K9SHwpGHJN/1lzTGk4djCbU5hJR52tyhIr4=; b=Yq+4pu0e0gCtN3xILjZowPXv8oHA1hwLgxZSDMEzqAEJgM4nvYuMrx1nafYI7IoBFz nZM5FFKgEZY6JTX7nJZV3bN5I3tsjzBe0YqapDs/PoXJ6ksy8yh7gTxQ4SES72ewa/Km jNVT8kpo9tahlHpRSOJo23vrSCxGSrjZaIUaeT4lCbbOIdHBbgl23B9Bg2SSQZkvZbst OKjBvkgKu57nRz/4nmo+IGYZfLnc5EjiAU2c9m6bJcVwhjNis+2ZVVOQCm49Dl6KKb5B n1EvDhm+o1w3h2fiJJQs4moTFw6B59lepus32el9gSgm7g+1xDICaG3we9vW8ZfXMo8g 3SCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EaN4TB87K9SHwpGHJN/1lzTGk4djCbU5hJR52tyhIr4=; b=vFqVRA/0JMAq/K5keC6ekeIwz49ZtbAZdBVVPYCPI6h8kf912L4al3jqhS59hgvaeE 1HipTQSZAZdBCj9vkc4gk6aKNBXJf3OB745ETHKCAIl6UcHYThYgrIZn9DWmT3wDsob1 mxsdPVfVNmROUg99hKG7oOK22yydBAddBNwF2w0tLrnYJCwpPoR7CYUGcaBYCYz+NJum pt0iE+UmtUlkvk6KM/CjccrImPfPSiT5EXZQHm35kBTaO1G9Pp1SmaR/XfhCxaeiUu17 CCPdPMKVf6miM0wXAWI/rMthfZptIJS+yiH+t2+qzQbW0i2L25hIcHE81igcnTNm1EEX 9adw== X-Gm-Message-State: ACrzQf3hZC/NaKKCmPJ3X769MWayZDMSQUp8JpWfXcYWwambNLF75nTk uq0b4QJENwM4f5Ca00kSIjO1dHGi2ImZBA== X-Received: by 2002:a05:600c:2143:b0:3cf:63dc:d011 with SMTP id v3-20020a05600c214300b003cf63dcd011mr38796548wml.194.1667932449945; Tue, 08 Nov 2022 10:34:09 -0800 (PST) Received: from localhost.localdomain ([185.126.107.38]) by smtp.gmail.com with ESMTPSA id j5-20020adfe505000000b0023c8026841csm11367876wrm.23.2022.11.08.10.34.08 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Tue, 08 Nov 2022 10:34:09 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Bin Meng , Hanna Reitz , David Hildenbrand , Kevin Wolf , qemu-block@nongnu.org, Peter Xu , Paolo Bonzini , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Daniel Henrique Barboza Subject: [PULL 3/3] Revert "hw/block/pflash_cfi: Error out if dev length isn't power of 2" Date: Tue, 8 Nov 2022 19:33:52 +0100 Message-Id: <20221108183352.9466-4-philmd@linaro.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221108183352.9466-1-philmd@linaro.org> References: <20221108183352.9466-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::332; envelope-from=philmd@linaro.org; helo=mail-wm1-x332.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Daniel Henrique Barboza Commit 334c388f25 ("pflash_cfi: Error out if device length isn't a power of two") aimed to finish the effort started by commit 06f1521795 ("pflash: Require backend size to match device, improve errors"), but unfortunately we are not quite there since various machines are still ready to accept incomplete / oversized pflash backend images, and now fail, i.e. on Debian bullseye: $ qemu-system-x86_64 \ -drive \ if=pflash,format=raw,unit=0,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd qemu-system-x86_64: Device size must be a power of two. where OVMF_CODE.fd comes from the ovmf package, which doesn't pad the firmware images to the flash size: $ ls -lh /usr/share/OVMF/ -rw-r--r-- 1 root root 3.5M Aug 19 2021 OVMF_CODE_4M.fd -rw-r--r-- 1 root root 1.9M Aug 19 2021 OVMF_CODE.fd -rw-r--r-- 1 root root 128K Aug 19 2021 OVMF_VARS.fd Since we entered the freeze period to prepare the v7.2.0 release, the safest is to revert commit 334c388f25707a234c4a0dea05b9df08d. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1294 Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20221108175755.95141-1-philmd@linaro.org> Signed-off-by: Daniel Henrique Barboza Message-Id: <20221108172633.860700-1-danielhb413@gmail.com> --- hw/block/pflash_cfi01.c | 8 ++------ hw/block/pflash_cfi02.c | 5 ----- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c index 9c235bf66e..0cbc2fb4cb 100644 --- a/hw/block/pflash_cfi01.c +++ b/hw/block/pflash_cfi01.c @@ -690,7 +690,7 @@ static const MemoryRegionOps pflash_cfi01_ops = { .endianness = DEVICE_NATIVE_ENDIAN, }; -static void pflash_cfi01_fill_cfi_table(PFlashCFI01 *pfl, Error **errp) +static void pflash_cfi01_fill_cfi_table(PFlashCFI01 *pfl) { uint64_t blocks_per_device, sector_len_per_device, device_len; int num_devices; @@ -708,10 +708,6 @@ static void pflash_cfi01_fill_cfi_table(PFlashCFI01 *pfl, Error **errp) sector_len_per_device = pfl->sector_len / num_devices; } device_len = sector_len_per_device * blocks_per_device; - if (!is_power_of_2(device_len)) { - error_setg(errp, "Device size must be a power of two."); - return; - } /* Hardcoded CFI table */ /* Standard "QRY" string */ @@ -869,7 +865,7 @@ static void pflash_cfi01_realize(DeviceState *dev, Error **errp) */ pfl->cmd = 0x00; pfl->status = 0x80; /* WSM ready */ - pflash_cfi01_fill_cfi_table(pfl, errp); + pflash_cfi01_fill_cfi_table(pfl); } static void pflash_cfi01_system_reset(DeviceState *dev) diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c index ff2fe154c1..2a99b286b0 100644 --- a/hw/block/pflash_cfi02.c +++ b/hw/block/pflash_cfi02.c @@ -880,11 +880,6 @@ static void pflash_cfi02_realize(DeviceState *dev, Error **errp) return; } - if (!is_power_of_2(pfl->chip_len)) { - error_setg(errp, "Device size must be a power of two."); - return; - } - memory_region_init_rom_device(&pfl->orig_mem, OBJECT(pfl), &pflash_cfi02_ops, pfl, pfl->name, pfl->chip_len, errp);