From patchwork Tue Jun 18 15:23:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zheyu Ma X-Patchwork-Id: 13702517 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 99002C27C4F for ; Tue, 18 Jun 2024 15:24:23 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sJagh-00089G-MM; Tue, 18 Jun 2024 11:23:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sJagd-00088Z-Oo; Tue, 18 Jun 2024 11:23:55 -0400 Received: from mail-ed1-x531.google.com ([2a00:1450:4864:20::531]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sJaga-0000Ke-Sw; Tue, 18 Jun 2024 11:23:54 -0400 Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-57d06101d76so242569a12.3; Tue, 18 Jun 2024 08:23:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718724231; x=1719329031; darn=nongnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=/uBHlNgBwmPP4HqMSmFwFH4dWkgYw0I0gpooRc/762U=; b=eD9Xi5qQt//ZLtApqBF6IlBE1alAFZqwsloCETx+5xdU3RWn2QoSpvIGvvSkHASaUz Wc6T9VDw4W6xER/235GivkCqKTX+355XONq4LAVVRSWilu+ZmEuoB+KoCzdO+UHOywr/ TeAAl/pjhvLlUylkhzlgcWkVdSGN4yyNGCxxa/Zpu0u2oDKwNCshMSY3SvVGDRqvzl+o HfAi/6iAts0pScvOIFPariFIiOhky0B5KLYSm7U4FWlT8lBeS2WfwosVawPNnom4056S yiJ6Bz4kd+b7V3kPYeW0BOMSoNbEhHJ6xeDDDsrbFv8gdR0ScC5kufOyQrPyOOc7I89A S/SA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718724231; x=1719329031; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/uBHlNgBwmPP4HqMSmFwFH4dWkgYw0I0gpooRc/762U=; b=vHSnldSNBoXYBA4+ZAEZ5X+E0I1zhu8NIRuuCZrCN0830sJt2S+CLPARrmNmqZxg2D HMNR2O54dbJaYDWJTc1rRm/E7B+EVbMv8lwwXpokXa27KMmHaJfadXgxtzCmrSGBqseX k4BLe1nMcmGEaoIkPGmZlrf4ESGxybcBsfgeZuz0WH0iAYJ6hIEHVDjuopqNLcilmtl/ sIH4z/UM2/PWCqPndkDhGqWIP4W3uPz4o3/fsapOvjaWp03zxYUJUSfKzLGWnY8jhZ0F ARFZLUI/txQJAeYDKbIxWUTpootqszPV4bBKMuEZHCr3sEqhPNVIPahS5UUAmkDqS5ys KVcQ== X-Forwarded-Encrypted: i=1; AJvYcCUhtWjaMtHvPPacfzA72wL5SXc0yaoAG4yAnXXPUDwmxzHwiS36yegkLDABccRplXri1ukRDogdajT2Ea2XI7jAbuA4nbwa06kWFRxTWJaWkLjhERIDTeDURb6dlw== X-Gm-Message-State: AOJu0Yxio3QPOPr8WZ+ax3oyANWG6H1QldO+IEHrHLXL3ygMWmrMA6Su qI38WdcETva2GhrinTmS7Kcyg+wIQd+wZwFG0eENPGkp2XBdnas= X-Google-Smtp-Source: AGHT+IGGAgo+I0uUsmOiE39A0Ij2Q/wrs3bpJ0N42P58XlcEEN8+v/zaPN6CZTEk8mW9WhmHuMuVPQ== X-Received: by 2002:a50:9f2f:0:b0:57c:abf9:e6ad with SMTP id 4fb4d7f45d1cf-57cbd6a6ea7mr7473062a12.42.1718724230742; Tue, 18 Jun 2024 08:23:50 -0700 (PDT) Received: from wing.epfl.ch (dhcp-122-dist-b-021.epfl.ch. [128.178.122.21]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-57cfa753136sm954805a12.34.2024.06.18.08.23.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Jun 2024 08:23:50 -0700 (PDT) From: Zheyu Ma To: Alistair Francis , Kevin Wolf , Hanna Reitz Cc: Zheyu Ma , qemu-block@nongnu.org, qemu-devel@nongnu.org Subject: [PATCH] block: m25p80: Fix heap-buffer-overflow in flash_erase function Date: Tue, 18 Jun 2024 17:23:28 +0200 Message-Id: <20240618152328.3163680-1-zheyuma97@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::531; envelope-from=zheyuma97@gmail.com; helo=mail-ed1-x531.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org This patch fixes a heap-buffer-overflow issue in the flash_erase function of the m25p80 flash memory emulation. The overflow occurs when the combination of offset and length exceeds the allocated memory for the storage. The patch adds a check to ensure that the erase length does not exceed the storage size and adjusts the length accordingly if necessary. Reproducer: cat << EOF | qemu-system-aarch64 -display none \ -machine accel=qtest, -m 512M -machine kudo-bmc -qtest stdio writeq 0xc0000010 0x6 writel 0xc000000c 0x9 writeq 0xc0000010 0xf27f9412 writeq 0xc000000f 0x2b5cdc26 writeq 0xc000000c 0xffffffffffffffff writeq 0xc000000c 0xffffffffffffffff writeq 0xc000000c 0xffffffffffffffff writel 0xc000000c 0x9 writeq 0xc000000c 0x9 EOF ASan log: ==2614308==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd3fb7fc000 at pc 0x55aa77a442dc bp 0x7fffaa155900 sp 0x7fffaa1550c8 WRITE of size 65536 at 0x7fd3fb7fc000 thread T0 #0 0x55aa77a442db in __asan_memset llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 #1 0x55aa77e7e6b3 in flash_erase hw/block/m25p80.c:631:5 #2 0x55aa77e6f8b1 in complete_collecting_data hw/block/m25p80.c:773:9 #3 0x55aa77e6aaa9 in m25p80_transfer8 hw/block/m25p80.c:1550:13 #4 0x55aa78e9a691 in ssi_transfer_raw_default hw/ssi/ssi.c:92:16 #5 0x55aa78e996c0 in ssi_transfer hw/ssi/ssi.c:165:14 #6 0x55aa78e8d76a in npcm7xx_fiu_uma_transaction hw/ssi/npcm7xx_fiu.c:336:9 #7 0x55aa78e8be4b in npcm7xx_fiu_ctrl_write hw/ssi/npcm7xx_fiu.c:428:13 Signed-off-by: Zheyu Ma --- hw/block/m25p80.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c index 8dec134832..e9a59f6616 100644 --- a/hw/block/m25p80.c +++ b/hw/block/m25p80.c @@ -617,6 +617,12 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd) abort(); } + if (offset + len > s->size) { + qemu_log_mask(LOG_GUEST_ERROR, + "M25P80: Erase exceeds storage size, adjusting length\n"); + len = s->size - offset; + } + trace_m25p80_flash_erase(s, offset, len); if ((s->pi->flags & capa_to_assert) != capa_to_assert) {