From patchwork Wed Dec 15 20:55:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12679405 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 27E0CC433F5 for ; Wed, 15 Dec 2021 20:56:57 +0000 (UTC) Received: from localhost ([::1]:40988 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mxbKZ-0008Kg-Mm for qemu-devel@archiver.kernel.org; Wed, 15 Dec 2021 15:56:55 -0500 Received: from eggs.gnu.org ([209.51.188.92]:38358) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mxbJP-0007Ov-DQ for qemu-devel@nongnu.org; Wed, 15 Dec 2021 15:55:43 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:30649) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mxbJN-0004sE-25 for qemu-devel@nongnu.org; Wed, 15 Dec 2021 15:55:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639601739; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=igvxfb/aYusWeyarBvd8wYyevdEAGBlY9RFgRJHtZK8=; b=E7it3nxdM03uhAdpqhWzg0pMqoG6A10QB+4TLlCcDu+3c1J7rJ9asGgOot76qg9eo5B+CC TPwRbdz4hbXOMbT1zyf/rv0mD4zuZxoFtPNCQAzF5xWR3PhHH5oy+azAMnv6Y1w5OBz94W I+PYQzYfAzUyYa4LYNhA1F/WUF/BVIQ= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-398-IXMDIknRPTWMuOf8mGCsFg-1; Wed, 15 Dec 2021 15:55:39 -0500 X-MC-Unique: IXMDIknRPTWMuOf8mGCsFg-1 Received: by mail-wm1-f70.google.com with SMTP id l4-20020a05600c1d0400b00332f47a0fa3so9526885wms.8 for ; Wed, 15 Dec 2021 12:55:38 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=g1QZaUX7yV4EgKglh08VNobzVezCGWyGjEtpVWTYYRc=; b=YhZHKyUE1C9kfbrjDxTtWlEjEPINELnpo7lJXGyll9uOamRIyM2CqMCEss5ufsDexu C+0vrfYs176T/Kc3BMlcmg88gWi6EFeKzoSgKNYY7INibdN//C7XSU0nLTGqQ2unEcAi p0RYQHyivJOplcOSf0oFeJmTnKutYV3ZQyYYdkOe6d0txFk11snxSUY4KnwWUVwin0ys jYtglGbqjq7cnoNNv0e6Xf+J0Ri+OFwI5ZWpQ7lBqOu4mzpjF/XIEuvmQfkqoPz3/a9N Fe7xkHI9trqQHS6BdlCV3F6/6KPhSthvp+gC1vp4FmUdxKTPkQ//b/JQ2rNs5/6Pniwt Phog== X-Gm-Message-State: AOAM530IrjOMBj19AmWLwqZSnhRdHLQN0k3hH3PKYqyOjU1GhCOA8RH5 ryu1sJIe2af9H2Mu+i/YCm6rN0mqtg8h/gBy55pV9D3FSyEvZ+uSM6Jd9dkwUM2XRa4lg9O+kAY w6giTrVecsNRvKWb96O+yNsqcCnr7n0pspRdm5DDfM2DbOnI9ydwYxUY53pQbFdmO X-Received: by 2002:a05:600c:1549:: with SMTP id f9mr1894412wmg.118.1639601737529; Wed, 15 Dec 2021 12:55:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJyskVEjgYfgBlX0qIRjmrl4MsviUeugIMBwnFXZBGoZBx+ZfzYvGoGnaQf+n5pm4nhzOrS/Ew== X-Received: by 2002:a05:600c:1549:: with SMTP id f9mr1894380wmg.118.1639601737282; Wed, 15 Dec 2021 12:55:37 -0800 (PST) Received: from localhost.localdomain (174.red-83-50-185.dynamicip.rima-tde.net. [83.50.185.174]) by smtp.gmail.com with ESMTPSA id v9sm3109635wrb.107.2021.12.15.12.55.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Dec 2021 12:55:36 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 0/3] hw/sd/sdhci: Fix DMA re-entrancy issue Date: Wed, 15 Dec 2021 21:55:24 +0100 Message-Id: <20211215205527.488480-1-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.719, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Peter Maydell , Thomas Huth , qemu-block@nongnu.org, David Hildenbrand , Jason Wang , Bin Meng , Li Qiang , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Peter Xu , Qiuhao Li , Darren Kenny , Bandan Das , Gerd Hoffmann , Stefan Hajnoczi , "Edgar E . Iglesias" , Alexander Bulekov , Paolo Bonzini , Mauro Matteo Cascella , =?utf-8?q?Philippe_Mathieu-Dau?= =?utf-8?q?d=C3=A9?= Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Hi, This series is an attempt to fix the DMA re-entrancy problem on the SDHCI device. OSS-Fuzz found it and Alexander generated a helpful reproducer. By setting the MemTxAttrs::memory bit before doing DMA transactions, the flatview API will return MEMTX_BUS_ERROR if the transaction targets a non-memory (a device), which is usually how DMA-reentrancy bugs are exploited. On real hardware, the checks are on the interconnect bus, not in the SDHCI block. However QEMU blocks aren't modelled that way. Using the flatview API seems (to me) the simplest and closer to hardware, it is a generic API and we can use it to trace bus transactions on all blocks. Note this series is simply one example to fix the generic issues. The important changes are in the previous series: https://lore.kernel.org/qemu-devel/20211215182421.418374-1-philmd@redhat.com/ Based-on: <20211215182421.418374-1-philmd@redhat.com> "physmem: Have flatview API check bus permission from MemTxAttrs" Cc: Mauro Matteo Cascella Cc: Qiuhao Li Cc: Peter Xu Cc: Jason Wang Cc: David Hildenbrand Cc: Gerd Hoffmann Cc: Peter Maydell Cc: Li Qiang Cc: Thomas Huth Cc: Laurent Vivier Cc: Bandan Das Cc: Edgar E. Iglesias Cc: Darren Kenny Cc: Bin Meng Cc: Paolo Bonzini Cc: Alexander Bulekov Cc: Stefan Hajnoczi Philippe Mathieu-Daudé (3): hw/sd/sdhci: Honor failed DMA transactions hw/sd/sdhci: Prohibit DMA accesses to devices tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225) hw/sd/sdhci.c | 35 ++++++++++++---- tests/qtest/fuzz-sdcard-test.c | 76 ++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+), 9 deletions(-)