| Message ID | 20210623180021.898286-1-f4bug@amsat.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | hw/sd: Allow card size not power of 2 again | expand |
On 210623 2000, Philippe Mathieu-Daudé wrote: > Hi Ubi-Wan Kenubi and Tom, > > In commit a9bcedd (SD card size has to be power of 2) we decided > to restrict SD card size to avoid security problems (CVE-2020-13253) > but this became not practical to some users. > > This RFC series tries to remove the limitation, keeping our > functional tests working. It is unfinished work because I had to > attend other topics, but sending it early as RFC to get feedback. > I'll keep working when I get more time, except if one if you can > help me. > > Alexander, could you generate a qtest reproducer with the fuzzer > corpus? See: https://bugs.launchpad.net/qemu/+bug/1878054 I think that bug was already fixed - the reproducer no logner causes a timeout on 6.0. Did I misunderstand something? I applied this series and ran the OSS-Fuzz corpus for the sdhci-v3 config. The only problem it found is this assert() (that exists without the patch anyways): https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29225 Let me know if this is something you think I should report on gitlab.. I'll leave the fuzzer running for another 24h or so, but otherwise I'm happy to leave a Tested-by, once there is a V1 series -Alex > Thanks, > > Phil. > > Philippe Mathieu-Daudé (9): > hw/sd: When card is in wrong state, log which state it is > hw/sd: Extract address_in_range() helper, log invalid accesses > tests/acceptance: Tag NetBSD tests as 'os:netbsd' > tests/acceptance: Extract image_expand() helper > tests/acceptance: Use image_expand() in > test_arm_orangepi_uboot_netbsd9 > tests/acceptance: Use image_expand() in test_arm_orangepi_bionic_20_08 > tests/acceptance: Do not expand SD card image in test_arm_orangepi_sd > tests/acceptance: Remove now unused pow2ceil() > hw/sd: Allow card size not power of 2 again > > hw/sd/sd.c | 60 +++++++++++++------------- > tests/acceptance/boot_linux_console.py | 39 ++++++++--------- > tests/acceptance/ppc_prep_40p.py | 2 + > 3 files changed, 52 insertions(+), 49 deletions(-) > > -- > 2.31.1 >
On 6/24/21 4:50 AM, Alexander Bulekov wrote: > On 210623 2000, Philippe Mathieu-Daudé wrote: >> Hi Ubi-Wan Kenubi and Tom, >> >> In commit a9bcedd (SD card size has to be power of 2) we decided >> to restrict SD card size to avoid security problems (CVE-2020-13253) >> but this became not practical to some users. >> >> This RFC series tries to remove the limitation, keeping our >> functional tests working. It is unfinished work because I had to >> attend other topics, but sending it early as RFC to get feedback. >> I'll keep working when I get more time, except if one if you can >> help me. >> >> Alexander, could you generate a qtest reproducer with the fuzzer >> corpus? See: https://bugs.launchpad.net/qemu/+bug/1878054 > > I think that bug was already fixed - the reproducer no logner causes a > timeout on 6.0. Did I misunderstand something? That bug was fixed but now I'm changing the code and would like to feel sure I'm not re-introducing the problem, so having the reproducer in the tree would help. > I applied this series and ran the OSS-Fuzz corpus for the sdhci-v3 > config. The only problem it found is this assert() (that exists without the > patch anyways): > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29225 Sigh. > Let me know if this is something you think I should report on gitlab.. Yes please :( > I'll leave the fuzzer running for another 24h or so, but otherwise I'm > happy to leave a Tested-by, once there is a V1 series > -Alex Thanks! Phil.
On 210624 1012, Philippe Mathieu-Daudé wrote: > On 6/24/21 4:50 AM, Alexander Bulekov wrote: > > On 210623 2000, Philippe Mathieu-Daudé wrote: > >> Hi Ubi-Wan Kenubi and Tom, > >> > >> In commit a9bcedd (SD card size has to be power of 2) we decided > >> to restrict SD card size to avoid security problems (CVE-2020-13253) > >> but this became not practical to some users. > >> > >> This RFC series tries to remove the limitation, keeping our > >> functional tests working. It is unfinished work because I had to > >> attend other topics, but sending it early as RFC to get feedback. > >> I'll keep working when I get more time, except if one if you can > >> help me. > >> > >> Alexander, could you generate a qtest reproducer with the fuzzer > >> corpus? See: https://bugs.launchpad.net/qemu/+bug/1878054 > > > > I think that bug was already fixed - the reproducer no logner causes a > > timeout on 6.0. Did I misunderstand something? > > That bug was fixed but now I'm changing the code and would like to feel > sure I'm not re-introducing the problem, so having the reproducer in the > tree would help. Ok - I'll try to come up with one. Minimizing reproducers for timeouts is trickier than crashes :-) > > > I applied this series and ran the OSS-Fuzz corpus for the sdhci-v3 > > config. The only problem it found is this assert() (that exists without the > > patch anyways): > > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29225 > > Sigh. > > > Let me know if this is something you think I should report on gitlab.. > > Yes please :( Ok here it is: https://gitlab.com/qemu-project/qemu/-/issues/450 The fuzzer I left running for 24h also found another bug (looks like DMA reentrancy), which I thought was introduced by this patchset, since OSS-Fuzz had not reported it in months of fuzzing. However, as a sanity-check I tried it against qemu.git and it crashed - strange... Anyways here it is: https://gitlab.com/qemu-project/qemu/-/issues/451 -Alex > > > I'll leave the fuzzer running for another 24h or so, but otherwise I'm > > happy to leave a Tested-by, once there is a V1 series > > -Alex > > Thanks! > > Phil.
Hi Ubi-Wan Kenubi and Tom, In commit a9bcedd (SD card size has to be power of 2) we decided to restrict SD card size to avoid security problems (CVE-2020-13253) but this became not practical to some users. This RFC series tries to remove the limitation, keeping our functional tests working. It is unfinished work because I had to attend other topics, but sending it early as RFC to get feedback. I'll keep working when I get more time, except if one if you can help me. Alexander, could you generate a qtest reproducer with the fuzzer corpus? See: https://bugs.launchpad.net/qemu/+bug/1878054 Thanks, Phil. Philippe Mathieu-Daudé (9): hw/sd: When card is in wrong state, log which state it is hw/sd: Extract address_in_range() helper, log invalid accesses tests/acceptance: Tag NetBSD tests as 'os:netbsd' tests/acceptance: Extract image_expand() helper tests/acceptance: Use image_expand() in test_arm_orangepi_uboot_netbsd9 tests/acceptance: Use image_expand() in test_arm_orangepi_bionic_20_08 tests/acceptance: Do not expand SD card image in test_arm_orangepi_sd tests/acceptance: Remove now unused pow2ceil() hw/sd: Allow card size not power of 2 again hw/sd/sd.c | 60 +++++++++++++------------- tests/acceptance/boot_linux_console.py | 39 ++++++++--------- tests/acceptance/ppc_prep_40p.py | 2 + 3 files changed, 52 insertions(+), 49 deletions(-)