[RFC,9/9] hw/sd: Allow card size not power of 2 again

Message ID	20210623180021.898286-10-f4bug@amsat.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=kCKP=LR=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B4E5D61075 From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <f4bug@amsat.org> To: qemu-devel@nongnu.org Subject: [RFC PATCH 9/9] hw/sd: Allow card size not power of 2 again Date: Wed, 23 Jun 2021 20:00:21 +0200 Message-Id: <20210623180021.898286-10-f4bug@amsat.org> In-Reply-To: <20210623180021.898286-1-f4bug@amsat.org> References: <20210623180021.898286-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::32a; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-x32a.google.com X-Spam_score_int: -14 X-Spam_score: -1.5 X-Spam_bar: - X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action Precedence: list Cc: =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= <berrange@redhat.com>, qemu-block@nongnu.org, Bin Meng <bin.meng@windriver.com>, =?utf-8?q?Philipp?= =?utf-8?q?e_Mathieu-Daud=C3=A9?= <f4bug@amsat.org>, Tom Yan <tom.ty89@gmail.com>, Alexander Bulekov <alxndr@bu.edu>, Niek Linnenbank <nieklinnenbank@gmail.com>, =?utf-8?q?Michal_Such=C3=A1nek?= <msuchanek@suse.de>, =?utf-8?q?Philippe_Ma?= =?utf-8?q?thieu-Daud=C3=A9?= <philmd@redhat.com>, Warner Losh <imp@bsdimp.com> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	hw/sd: Allow card size not power of 2 again \| expand [RFC,0/9] hw/sd: Allow card size not power of 2 again [1/9] hw/sd: When card is in wrong state, log which state it is [2/9] hw/sd: Extract address_in_range() helper, log invalid accesses [3/9] tests/acceptance: Tag NetBSD tests as 'os:netbsd' [4/9] tests/acceptance: Extract image_expand() helper [5/9] tests/acceptance: Use image_expand() in test_arm_orangepi_uboot_netbsd9 [RFC,6/9] tests/acceptance: Use image_expand() in test_arm_orangepi_bionic_20_08 [RFC,7/9] tests/acceptance: Do not expand SD card image in test_arm_orangepi_sd [8/9] tests/acceptance: Remove now unused pow2ceil() [RFC,9/9] hw/sd: Allow card size not power of 2 again

Message ID

20210623180021.898286-10-f4bug@amsat.org (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B4E5D61075
From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Subject: [RFC PATCH 9/9] hw/sd: Allow card size not power of 2 again
Date: Wed, 23 Jun 2021 20:00:21 +0200
Message-Id: <20210623180021.898286-10-f4bug@amsat.org>
In-Reply-To: <20210623180021.898286-1-f4bug@amsat.org>
References: <20210623180021.898286-1-f4bug@amsat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::32a;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-x32a.google.com
X-Spam_score_int: -14
X-Spam_score: -1.5
X-Spam_bar: -
X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25,
 FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= <berrange@redhat.com>,
 qemu-block@nongnu.org, Bin Meng <bin.meng@windriver.com>, =?utf-8?q?Philipp?=
	=?utf-8?q?e_Mathieu-Daud=C3=A9?= <f4bug@amsat.org>,
 Tom Yan <tom.ty89@gmail.com>, Alexander Bulekov <alxndr@bu.edu>,
 Niek Linnenbank <nieklinnenbank@gmail.com>,
 =?utf-8?q?Michal_Such=C3=A1nek?= <msuchanek@suse.de>, =?utf-8?q?Philippe_Ma?=
	=?utf-8?q?thieu-Daud=C3=A9?= <philmd@redhat.com>,
 Warner Losh <imp@bsdimp.com>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Series

hw/sd: Allow card size not power of 2 again | expand

Commit Message

Philippe Mathieu-Daudé June 23, 2021, 6 p.m. UTC

In commit a9bcedd15a5 ("hw/sd/sdcard: Do not allow invalid SD card
sizes") we tried to protect us from CVE-2020-13253 by only allowing
card with power-of-2 sizes. However doing so we disrupted valid user
cases. As a compromise, allow any card size, but warn only power of 2
sizes are supported, still suggesting the user how to increase a
card with 'qemu-img resize'.

Cc: Tom Yan <tom.ty89@gmail.com>
Cc: Warner Losh <imp@bsdimp.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1910586
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/sd/sd.c | 25 +++++++++----------------
 1 file changed, 9 insertions(+), 16 deletions(-)

Comments

Daniel P. Berrangé June 24, 2021, 10:17 a.m. UTC | #1

On Wed, Jun 23, 2021 at 08:00:21PM +0200, Philippe Mathieu-Daudé wrote:
> In commit a9bcedd15a5 ("hw/sd/sdcard: Do not allow invalid SD card
> sizes") we tried to protect us from CVE-2020-13253 by only allowing
> card with power-of-2 sizes. However doing so we disrupted valid user
> cases. As a compromise, allow any card size, but warn only power of 2
> sizes are supported, still suggesting the user how to increase a
> card with 'qemu-img resize'.
> 
> Cc: Tom Yan <tom.ty89@gmail.com>
> Cc: Warner Losh <imp@bsdimp.com>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1910586
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  hw/sd/sd.c | 25 +++++++++----------------
>  1 file changed, 9 insertions(+), 16 deletions(-)
> 
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 9c8dd11bad1..cab4aab1475 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -2131,23 +2131,16 @@ static void sd_realize(DeviceState *dev, Error **errp)
>          blk_size = blk_getlength(sd->blk);
>          if (blk_size > 0 && !is_power_of_2(blk_size)) {
>              int64_t blk_size_aligned = pow2ceil(blk_size);
> -            char *blk_size_str;
> +            g_autofree char *blk_size_s = size_to_str(blk_size);
> +            g_autofree char *blk_size_aligned_s = size_to_str(blk_size_aligned);
>  
> -            blk_size_str = size_to_str(blk_size);
> -            error_setg(errp, "Invalid SD card size: %s", blk_size_str);
> -            g_free(blk_size_str);
> -
> -            blk_size_str = size_to_str(blk_size_aligned);
> -            error_append_hint(errp,
> -                              "SD card size has to be a power of 2, e.g. %s.\n"
> -                              "You can resize disk images with"
> -                              " 'qemu-img resize <imagefile> <new-size>'\n"
> -                              "(note that this will lose data if you make the"
> -                              " image smaller than it currently is).\n",
> -                              blk_size_str);
> -            g_free(blk_size_str);
> -
> -            return;
> +            warn_report("SD card size is not a power of 2 (%s). It might work"
> +                        " but is not supported by QEMU. If possible, resize"
> +                        " your disk image to %s with:",
> +                        blk_size_s, blk_size_aligned_s);
> +            warn_report(" 'qemu-img resize <imagefile> <new-size>'");
> +            warn_report("(note that this will lose data if you make the"
> +                        " image smaller than it currently is).");

In what scenarios will non-power of 2 not work and what is the effect ?
Is it a QEMU bug or not ?

Regards,
Daniel

Tom Yan June 24, 2021, 10:24 a.m. UTC | #2

Hi,

On Thu, 24 Jun 2021 at 02:01, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> In commit a9bcedd15a5 ("hw/sd/sdcard: Do not allow invalid SD card
> sizes") we tried to protect us from CVE-2020-13253 by only allowing
> card with power-of-2 sizes. However doing so we disrupted valid user
> cases. As a compromise, allow any card size, but warn only power of 2
> sizes are supported, still suggesting the user how to increase a
> card with 'qemu-img resize'.
>
> Cc: Tom Yan <tom.ty89@gmail.com>
> Cc: Warner Losh <imp@bsdimp.com>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1910586
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  hw/sd/sd.c | 25 +++++++++----------------
>  1 file changed, 9 insertions(+), 16 deletions(-)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 9c8dd11bad1..cab4aab1475 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -2131,23 +2131,16 @@ static void sd_realize(DeviceState *dev, Error **errp)
>          blk_size = blk_getlength(sd->blk);
>          if (blk_size > 0 && !is_power_of_2(blk_size)) {
>              int64_t blk_size_aligned = pow2ceil(blk_size);
> -            char *blk_size_str;
> +            g_autofree char *blk_size_s = size_to_str(blk_size);
> +            g_autofree char *blk_size_aligned_s = size_to_str(blk_size_aligned);
>
> -            blk_size_str = size_to_str(blk_size);
> -            error_setg(errp, "Invalid SD card size: %s", blk_size_str);
> -            g_free(blk_size_str);
> -
> -            blk_size_str = size_to_str(blk_size_aligned);
> -            error_append_hint(errp,
> -                              "SD card size has to be a power of 2, e.g. %s.\n"
> -                              "You can resize disk images with"
> -                              " 'qemu-img resize <imagefile> <new-size>'\n"
> -                              "(note that this will lose data if you make the"
> -                              " image smaller than it currently is).\n",
> -                              blk_size_str);
> -            g_free(blk_size_str);
> -
> -            return;
> +            warn_report("SD card size is not a power of 2 (%s). It might work"
> +                        " but is not supported by QEMU. If possible, resize"
> +                        " your disk image to %s with:",
> +                        blk_size_s, blk_size_aligned_s);
> +            warn_report(" 'qemu-img resize <imagefile> <new-size>'");
> +            warn_report("(note that this will lose data if you make the"
> +                        " image smaller than it currently is).");

Not trying to be picky, but I don't think this is much better. IMHO
it's quite irresponsible to give a warning like that, leaving users in
a state like "Should I use it or not then?", without giving a concrete
reference to what exactly might/would lead to the warned problem.

I really think we should get (/ have gotten) things clear first. What
exactly is the bug we have been talking about here? I mean like, where
does it occur and what's the nature of it.

1. Is it specific to a certain type / model of backend / physical
storage device that will be made use of by qemu for the emulated
storage? (I presume not since you mention about image, unless you
irrationally related/bound the emulated storage type and the physical
storage type together.)

2. Does it have anything to do with a certain flaw in qemu itself?
Like the code that does read/write operation is flawed that it cannot
be handled by a certain *proper* backend device?

3. Or is it actually a bug in a certain driver / firmware blob that
will be used by an *emulated* device in the guest? In that case, can
we emulate another model so that it won't be using the problematic
driver / firmware?

Also, could you provide any information / reference to what the bug
really is? Like a bug report (for the problem itself, not some vague
claim that qemu should workaround the problem)?

>          }
>
>          ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
> --
> 2.31.1
>

Peter Maydell June 24, 2021, 10:56 a.m. UTC | #3

On Thu, 24 Jun 2021 at 11:27, Tom Yan <tom.ty89@gmail.com> wrote:
> I really think we should get (/ have gotten) things clear first. What
> exactly is the bug we have been talking about here? I mean like, where
> does it occur and what's the nature of it.
>
> 1. Is it specific to a certain type / model of backend / physical
> storage device that will be made use of by qemu for the emulated
> storage? (I presume not since you mention about image, unless you
> irrationally related/bound the emulated storage type and the physical
> storage type together.)
>
> 2. Does it have anything to do with a certain flaw in qemu itself?
> Like the code that does read/write operation is flawed that it cannot
> be handled by a certain *proper* backend device?
>
> 3. Or is it actually a bug in a certain driver / firmware blob that
> will be used by an *emulated* device in the guest? In that case, can
> we emulate another model so that it won't be using the problematic
> driver / firmware?

Definitely agreed -- before we start changing QEMU code we need
to identify clearly (a) what the real hardware does and (b) what
the situation was we were originally trying to fix.

thanks
-- PMM

Warner Losh June 24, 2021, 4:08 p.m. UTC | #4

> On Jun 24, 2021, at 4:56 AM, Peter Maydell <peter.maydell@linaro.org> wrote:
> 
> On Thu, 24 Jun 2021 at 11:27, Tom Yan <tom.ty89@gmail.com> wrote:
>> I really think we should get (/ have gotten) things clear first. What
>> exactly is the bug we have been talking about here? I mean like, where
>> does it occur and what's the nature of it.
>> 
>> 1. Is it specific to a certain type / model of backend / physical
>> storage device that will be made use of by qemu for the emulated
>> storage? (I presume not since you mention about image, unless you
>> irrationally related/bound the emulated storage type and the physical
>> storage type together.)
>> 
>> 2. Does it have anything to do with a certain flaw in qemu itself?
>> Like the code that does read/write operation is flawed that it cannot
>> be handled by a certain *proper* backend device?
>> 
>> 3. Or is it actually a bug in a certain driver / firmware blob that
>> will be used by an *emulated* device in the guest? In that case, can
>> we emulate another model so that it won't be using the problematic
>> driver / firmware?
> 
> Definitely agreed -- before we start changing QEMU code we need
> to identify clearly (a) what the real hardware does and (b) what
> the situation was we were originally trying to fix.

Real SD and MMC cards do not have power-of-two constraints in the
number of blocks. None of the SD/MMC bridges I’ve ever dealt with
have a power-of-two constraint on the size of the card. The only
constraint on the size related to the card is the block size.

If non-power-of-2 sized cards fail, that’s a cat-1 sev-1 bug that needs
to be fixed, rather than a warning be generated.

Warner

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 9c8dd11bad1..cab4aab1475 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -2131,23 +2131,16 @@  static void sd_realize(DeviceState *dev, Error **errp)
         blk_size = blk_getlength(sd->blk);
         if (blk_size > 0 && !is_power_of_2(blk_size)) {
             int64_t blk_size_aligned = pow2ceil(blk_size);
-            char *blk_size_str;
+            g_autofree char *blk_size_s = size_to_str(blk_size);
+            g_autofree char *blk_size_aligned_s = size_to_str(blk_size_aligned);
 
-            blk_size_str = size_to_str(blk_size);
-            error_setg(errp, "Invalid SD card size: %s", blk_size_str);
-            g_free(blk_size_str);
-
-            blk_size_str = size_to_str(blk_size_aligned);
-            error_append_hint(errp,
-                              "SD card size has to be a power of 2, e.g. %s.\n"
-                              "You can resize disk images with"
-                              " 'qemu-img resize <imagefile> <new-size>'\n"
-                              "(note that this will lose data if you make the"
-                              " image smaller than it currently is).\n",
-                              blk_size_str);
-            g_free(blk_size_str);
-
-            return;
+            warn_report("SD card size is not a power of 2 (%s). It might work"
+                        " but is not supported by QEMU. If possible, resize"
+                        " your disk image to %s with:",
+                        blk_size_s, blk_size_aligned_s);
+            warn_report(" 'qemu-img resize <imagefile> <new-size>'");
+            warn_report("(note that this will lose data if you make the"
+                        " image smaller than it currently is).");
         }
 
         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,

[RFC,9/9] hw/sd: Allow card size not power of 2 again

Commit Message

Comments

Patch