From patchwork Wed Mar 3 12:26:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Bin Meng X-Patchwork-Id: 12113349 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FF6CC433E0 for ; Wed, 3 Mar 2021 12:29:51 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A422B64EBD for ; Wed, 3 Mar 2021 12:29:50 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A422B64EBD Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:57466 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHQdR-0007ir-Mi for qemu-devel@archiver.kernel.org; Wed, 03 Mar 2021 07:29:49 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:37356) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHQai-00034R-Ic; Wed, 03 Mar 2021 07:27:00 -0500 Received: from mail-qk1-x72c.google.com ([2607:f8b0:4864:20::72c]:41317) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lHQag-0000cw-R5; Wed, 03 Mar 2021 07:27:00 -0500 Received: by mail-qk1-x72c.google.com with SMTP id q85so23684987qke.8; Wed, 03 Mar 2021 04:26:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=OG4goZFEaNkkukUoQrBUegD/8Ki3U9WGREFx1JPyYo4=; b=SFexncU+WlvYtbpNnYCjmD70U44+jUb+WnXBwGi4piehhuy9AQY+2OHy97P+fhslGZ 7XwA/PhkTAt9Lmh9WfPca0unayvkt5xvLnQskb8rOQ/VjjfuUjXQRLG+dycqNZihLMm4 wKKgaciirLeL8Jt6Kk84H66RwZfIXW6Y2OJrvDUQgWkKXN0cE+J6O1bezspTsR4fIlWd NvQFxNr3rjofyhAuoTqnm+nUm+K6qTAi/CsNsZ/GA8dhkwFW7mgw5fx75dyW0huzpxat fn/wpwJKEF86S8hEvFKAN1h5d6ps1HHpJxii+IJ4jr6ClM0l0hNhDvIOm8QfgmFDwVtr BPzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OG4goZFEaNkkukUoQrBUegD/8Ki3U9WGREFx1JPyYo4=; b=X8iCMzZ2x4qLRYoNmYtVQahDfkobUSfVh2pTUkQVEQJWNiFl9wg+DzPpadaKgBehT9 5V7eaU/nPWh/dBndCXR8hfB32SfVYT50pyVT7ZZT3MC3x9U3UgX3Zq/PFdBdziaA4diz j1lK41kIfLKfBxoFAhCHPeIIUqiswrQ2+DZ372cV5O5EKXngjwpqWb1FuBtAwVsNpPhV pUps+9U65tLLTn+OFRSYJiG4YD5KGFBDCRxJp3ofjW6YbafcH1+XfS+omIN8KVGZj+kc mjmCfA7kM7WqpHGSTKNyi1JVsvXZNtIRDqevJiC9SrJFjMHny1IkZBZbVKIWgTjENtI4 EwMg== X-Gm-Message-State: AOAM533XFApjjbYU/SZ8nH+sKT30mVVmLJ6zbcgN7FLn2ZpcdW7xovmN b6Qg/GTUYRb/YAEDWeG03+0= X-Google-Smtp-Source: ABdhPJyxhffo5oA52IO5azMr8/tiIr4CsKKlQ/jxhJjzsdxSnDEkgqR3jXsN2rqiZtAfrShwsd+rqw== X-Received: by 2002:a05:620a:1107:: with SMTP id o7mr505302qkk.188.1614774417087; Wed, 03 Mar 2021 04:26:57 -0800 (PST) Received: from i9-aorus-gtx1080.localdomain (144.168.56.201.16clouds.com. [144.168.56.201]) by smtp.gmail.com with ESMTPSA id x14sm15433458qtq.47.2021.03.03.04.26.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Mar 2021 04:26:56 -0800 (PST) From: Bin Meng To: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [RESEND PATCH v3 1/5] hw/sd: sdhci: Don't transfer any data when command time out Date: Wed, 3 Mar 2021 20:26:35 +0800 Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210303122639.20004-1-bmeng.cn@gmail.com> References: <20210303122639.20004-1-bmeng.cn@gmail.com> MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::72c; envelope-from=bmeng.cn@gmail.com; helo=mail-qk1-x72c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bin Meng , qemu-stable@nongnu.org, qemu-block@nongnu.org, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" At the end of sdhci_send_command(), it starts a data transfer if the command register indicates data is associated. But the data transfer should only be initiated when the command execution has succeeded. With this fix, the following reproducer: outl 0xcf8 0x80001810 outl 0xcfc 0xe1068000 outl 0xcf8 0x80001804 outw 0xcfc 0x7 write 0xe106802c 0x1 0x0f write 0xe1068004 0xc 0x2801d10101fffffbff28a384 write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 write 0xe1068003 0x1 0xfe cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ -device sdhci-pci,sd-spec-version=3 \ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ -device sd-card,drive=mydrive \ -monitor none -serial none -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 Signed-off-by: Bin Meng Acked-by: Alistair Francis Tested-by: Alexander Bulekov Tested-by: Philippe Mathieu-Daudé --- (no changes since v1) hw/sd/sdhci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 9acf4467a3..f72d76c178 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s) SDRequest request; uint8_t response[16]; int rlen; + bool timeout = false; s->errintsts = 0; s->acmd12errsts = 0; @@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s) trace_sdhci_response16(s->rspreg[3], s->rspreg[2], s->rspreg[1], s->rspreg[0]); } else { + timeout = true; trace_sdhci_error("timeout waiting for command response"); if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { s->errintsts |= SDHC_EIS_CMDTIMEOUT; @@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s) sdhci_update_irq(s); - if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { + if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { s->data_count = 0; sdhci_data_transfer(s); } From patchwork Wed Mar 3 12:26:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bin Meng X-Patchwork-Id: 12113345 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8E37C433DB for ; Wed, 3 Mar 2021 12:28:17 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4FEB364E58 for ; Wed, 3 Mar 2021 12:28:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4FEB364E58 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:52312 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHQbw-0005aq-30 for qemu-devel@archiver.kernel.org; Wed, 03 Mar 2021 07:28:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:37382) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHQam-0003Ge-S6; Wed, 03 Mar 2021 07:27:05 -0500 Received: from mail-qk1-x72f.google.com ([2607:f8b0:4864:20::72f]:37813) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lHQal-0000dv-0Z; Wed, 03 Mar 2021 07:27:04 -0500 Received: by mail-qk1-x72f.google.com with SMTP id s7so13582135qkg.4; Wed, 03 Mar 2021 04:27:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=iDDeXYKwCfnvDPzgZ+8nfC2qiZUqg8nqKT+edgb162k=; b=e6uZuwcG1xWUpNkXyr86qfBtpANKFcZanNwEWnE3JEWfdq1CC3nhMfyKEIPmaNduuZ ojUJnh77h+rbuK3uC3+r78hrZ8YGN+60vg4MqGOIeTkY1iVwG5b4ImcWvVLCPPWoYBgh B5zbFUSP4iG5avTWro3IlLpIkWfAYKFxN1Y16uHLZ6wsdmuXkR4odFh2DBpqm6HK43Vp X09RSY6PP8X17wV+TP1vylXbg0oBpd648f87lX/p+9iwXHosqheSHpCL9xX6R4qgMmLX a3nlqp71j2cV1IDyuYYuV8HFi7Xy+9JCqzv956SsTIazG06G7rz8vd38Vt0w2/dxZdhK 5BtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iDDeXYKwCfnvDPzgZ+8nfC2qiZUqg8nqKT+edgb162k=; b=ONVHNFZPLuzo7uzIa+xkiMJNsMyMGUjoxUSrYRIDlnwgohyL3zPuPP52urohpgcH2e gu+qMFLpeotRmw/UZ2tOLQ/UJWwYB7rg0ihwrdp7rb15vUeGX1VOkzhrV694kn639iUW Id0wfrIYkV8zY8508KCNWu+QOrrjwQ3PldiPmxoODm5TmbvmAoOiJQE518ToSgWyDWlL iCB8RJmdIDk9O56m3y4Z9wHe+uBOmqZcED2FxsD930nYx7p7aaiAo3cCcnL4CRLbWgEL +PCSP/TLp64ByhxZ3ue/4aBnnsSS9Z0l6dL0gpF+B2cfIPZgDboVbB2f3DnTK6Twvb20 5TBA== X-Gm-Message-State: AOAM530zdY/F2DTcPD7/OLxpwwrHE8nVol50AKWzbT37cnTohR57lTpV V/CXDOfQHmduZICvUKLiE6E= X-Google-Smtp-Source: ABdhPJyLsspi9ziqbtQM7d9cZ23zeTcNuBON00kCmL0w+ECcurt+WDb6XG2LMIRrmQZ8/gRzypf/0Q== X-Received: by 2002:ae9:e418:: with SMTP id q24mr23941754qkc.409.1614774421415; Wed, 03 Mar 2021 04:27:01 -0800 (PST) Received: from i9-aorus-gtx1080.localdomain (144.168.56.201.16clouds.com. [144.168.56.201]) by smtp.gmail.com with ESMTPSA id x14sm15433458qtq.47.2021.03.03.04.26.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Mar 2021 04:27:01 -0800 (PST) From: Bin Meng To: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [RESEND PATCH v3 2/5] hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress Date: Wed, 3 Mar 2021 20:26:36 +0800 Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210303122639.20004-1-bmeng.cn@gmail.com> References: <20210303122639.20004-1-bmeng.cn@gmail.com> MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::72f; envelope-from=bmeng.cn@gmail.com; helo=mail-qk1-x72f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bin Meng , qemu-stable@nongnu.org, qemu-block@nongnu.org, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per "SD Host Controller Standard Specification Version 7.00" chapter 2.2.1 SDMA System Address Register: This register can be accessed only if no transaction is executing (i.e., after a transaction has stopped). With this fix, the following reproducer: outl 0xcf8 0x80001010 outl 0xcfc 0xfbefff00 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0xfbefff2c 0x1 0x05 write 0xfbefff0f 0x1 0x37 write 0xfbefff0a 0x1 0x01 write 0xfbefff0f 0x1 0x29 write 0xfbefff0f 0x1 0x02 write 0xfbefff0f 0x1 0x03 write 0xfbefff04 0x1 0x01 write 0xfbefff05 0x1 0x01 write 0xfbefff07 0x1 0x02 write 0xfbefff0c 0x1 0x33 write 0xfbefff0e 0x1 0x20 write 0xfbefff0f 0x1 0x00 write 0xfbefff2a 0x1 0x01 write 0xfbefff0c 0x1 0x00 write 0xfbefff03 0x1 0x00 write 0xfbefff05 0x1 0x00 write 0xfbefff2a 0x1 0x02 write 0xfbefff0c 0x1 0x32 write 0xfbefff01 0x1 0x01 write 0xfbefff02 0x1 0x01 write 0xfbefff03 0x1 0x01 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3 \ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ -device sd-card,drive=mydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 Signed-off-by: Bin Meng Tested-by: Alexander Bulekov --- Changes in v3: - Embed the reproducer in the commit message hw/sd/sdhci.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index f72d76c178..3feb6c3a1f 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) switch (offset & ~0x3) { case SDHC_SYSAD: - s->sdmasysad = (s->sdmasysad & mask) | value; - MASKED_WRITE(s->sdmasysad, mask, value); - /* Writing to last byte of sdmasysad might trigger transfer */ - if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && - s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { - if (s->trnmod & SDHC_TRNS_MULTI) { - sdhci_sdma_transfer_multi_blocks(s); - } else { - sdhci_sdma_transfer_single_block(s); + if (!TRANSFERRING_DATA(s->prnsts)) { + s->sdmasysad = (s->sdmasysad & mask) | value; + MASKED_WRITE(s->sdmasysad, mask, value); + /* Writing to last byte of sdmasysad might trigger transfer */ + if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && + SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { + if (s->trnmod & SDHC_TRNS_MULTI) { + sdhci_sdma_transfer_multi_blocks(s); + } else { + sdhci_sdma_transfer_single_block(s); + } } } break; From patchwork Wed Mar 3 12:26:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Bin Meng X-Patchwork-Id: 12113353 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DDFFC433E0 for ; Wed, 3 Mar 2021 12:31:30 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 034AB64E7C for ; Wed, 3 Mar 2021 12:31:29 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 034AB64E7C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:32776 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHQf2-0001Gu-TE for qemu-devel@archiver.kernel.org; Wed, 03 Mar 2021 07:31:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:37394) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHQas-0003LH-O9; Wed, 03 Mar 2021 07:27:11 -0500 Received: from mail-qt1-x832.google.com ([2607:f8b0:4864:20::832]:37254) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lHQap-0000fM-FR; Wed, 03 Mar 2021 07:27:10 -0500 Received: by mail-qt1-x832.google.com with SMTP id v3so17312764qtw.4; Wed, 03 Mar 2021 04:27:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=menJUHN1K7cTAtjs7NSfWpmb0i7usQduiSyTL2YsAzU=; b=cDzXfBOQSGCjYbyPy9qSBCBMPGMdOFXCV4pFStvaIWF/TfGsJZ3bVudV/wjDc14329 2rWDxWRVO2kw6dbGBmMC1dZLij+lbbr34CXeYvVYqoHJ9nsPCgUI0y6NIWvsaZzyAoxX rzeiQA5+NToD82RcR5NhVmBQf1XnPAq33LU3ATW3GS+v+hNAzXSmH5vQ8GbNNz4mbN9M atJupE2mBY80lvxRvtk7hgOoDNAByRpwuOcAV5mdT9/b+HQNsAo5gpQAblcSuu0CkU3Q Ml9X+QDctk6hTWuaX0+pxFyBIDK0q+WSLljUge4ZCM6/MewN54MOrmMrrJLLFJfloHM2 oi1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=menJUHN1K7cTAtjs7NSfWpmb0i7usQduiSyTL2YsAzU=; b=FoKRDH1E/zryUWF239ZDKcWK821X1pUhFjliX9Lz7rPd1sWduguLbEV9qWjXS9gvrv 5wGHID/2/KkleldZmNSWNxgm66XrKdyl/UHu3UNj+HF5CNw95ukdAKhaN5yq3iM6Zd3B vcVoiyU4GBY07dL+jLkGm6cxOPkBts2gwt+h1v3pLCRmuVbqXMqVq8g1TRv3sLKhUEV8 f62BKhq4jreqd8sWdlpdjOBsMiJDnAlaXoeiuE/K39wRzE96gpIh87gPSQNjwccnFl0p HkxOCJo8DIahakAv/npcuYvqOVGxB0C/SfpX8nI4NhE3w6BvPE3V7kG3sPFMStfwzuUJ MCEA== X-Gm-Message-State: AOAM532BxQr9UCpCxpA9ymYhIBbFz3nOANoulSCqG9ps9Ou/rInW1WdS 8boGZKvZETrO8+TYaQQLxvM= X-Google-Smtp-Source: ABdhPJylWd4AvZwaLcjnMKt97+Atx+WNmJUxw9J6Q/QpuPUcQW1E9mn84OixqEaR+/KJgq6K60heQw== X-Received: by 2002:ac8:45cd:: with SMTP id e13mr22139599qto.196.1614774425834; Wed, 03 Mar 2021 04:27:05 -0800 (PST) Received: from i9-aorus-gtx1080.localdomain (144.168.56.201.16clouds.com. [144.168.56.201]) by smtp.gmail.com with ESMTPSA id x14sm15433458qtq.47.2021.03.03.04.27.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Mar 2021 04:27:05 -0800 (PST) From: Bin Meng To: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [RESEND PATCH v3 3/5] hw/sd: sdhci: Correctly set the controller status for ADMA Date: Wed, 3 Mar 2021 20:26:37 +0800 Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210303122639.20004-1-bmeng.cn@gmail.com> References: <20210303122639.20004-1-bmeng.cn@gmail.com> MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::832; envelope-from=bmeng.cn@gmail.com; helo=mail-qt1-x832.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bin Meng , qemu-stable@nongnu.org, qemu-block@nongnu.org, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" When an ADMA transfer is started, the codes forget to set the controller status to indicate a transfer is in progress. With this fix, the following 2 reproducers: https://paste.debian.net/plain/1185136 https://paste.debian.net/plain/1185141 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3 \ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ -device sd-card,drive=mydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 Signed-off-by: Bin Meng Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daudé --- (no changes since v1) hw/sd/sdhci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 3feb6c3a1f..7a2003b28b 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s) switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ + s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; if (s->trnmod & SDHC_TRNS_READ) { + s->prnsts |= SDHC_DOING_READ; while (length) { if (s->data_count == 0) { sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size); @@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s) } } } else { + s->prnsts |= SDHC_DOING_WRITE; while (length) { begin = s->data_count; if ((length + begin) < block_size) { From patchwork Wed Mar 3 12:26:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Bin Meng X-Patchwork-Id: 12113347 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 398DCC433E0 for ; Wed, 3 Mar 2021 12:28:21 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A71F264EBB for ; Wed, 3 Mar 2021 12:28:20 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A71F264EBB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:52556 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHQbz-0005gw-LB for qemu-devel@archiver.kernel.org; Wed, 03 Mar 2021 07:28:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:37406) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHQav-0003Pl-PA; Wed, 03 Mar 2021 07:27:13 -0500 Received: from mail-qk1-x732.google.com ([2607:f8b0:4864:20::732]:44343) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lHQau-0000gF-1L; Wed, 03 Mar 2021 07:27:13 -0500 Received: by mail-qk1-x732.google.com with SMTP id 130so9049724qkh.11; Wed, 03 Mar 2021 04:27:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ONW5B8dL+K7mWJzVOxTaznriLdX5Ax/sh23bCpsoVmA=; b=YoIFyyj++D30WuwCv1DI1U/6DUUO+waK0VxxKTmmOCHLngijopb8/kYfA1g0dYdNKH kRGGcGbVO6rNJcLUS2Cdv6BhuJBXhJCJw+C+1X/xkinePZTXtvNU7ex6O0Qoc25RFwEF aykzGkSovNp0vwKRFxF4acjLN+1JKpipPQtnf/ffGa2BSaWP73MkyI/6yMnioLOzWn32 n9z1uXzYEY5I5IPx9spr+taJAJPqgnqGizCmV7cVY66+bZfRmtqQUJKGhB9eE+UJ8bi+ lnGvWkDfiB/9yZ7r6U6N4lsCcxpztITW1Hvd50eWyQoWA/p3IRoR99SfO/jh65yebt74 9amw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ONW5B8dL+K7mWJzVOxTaznriLdX5Ax/sh23bCpsoVmA=; b=Hs9hEuTDqW0gC2tGybD66w6ZJc0BeC31OAelllnIbHFogf/BeVKXk5f6p9eqOYD33p XuUdjZloBOlu4jqawEjaiHPe+zhtwEjuk5qIbJJ0tqsswlYz0MBoYdOPyz7E+OIQ0ov4 WagGC3Qwcu3dOs9xPd/guM3+QM+WLhcbRv219ncpktyC5juFafDULJxpjPac/Awyrouf uqNCuIkClF/PR8E5UqIo6Fk9hD+3qTpxRbGhp6fma+e4OKZnz6GaXiep+MPKCbMbn0W7 pqlxWTYcmc0JRkfUctOJ88BPBi09XNhFeB4w/OFF9AchJBeKXf5sa5UrWsMNO0syw+UU 3TWg== X-Gm-Message-State: AOAM532KEgcXZA7iec1yjO+QwS7VARzQDpkLwbzC2iR/6YKIapK4Hpzk H8YExFv6l57QlvSLVz3QJBE= X-Google-Smtp-Source: ABdhPJyjcvMl+pM/MoQDpm/ReVIHhqssmBfeymbMtHuAchXE9a89XXiFGOf+4cZCBQKQl/nWOhFNRg== X-Received: by 2002:a05:620a:220e:: with SMTP id m14mr14007871qkh.303.1614774430725; Wed, 03 Mar 2021 04:27:10 -0800 (PST) Received: from i9-aorus-gtx1080.localdomain (144.168.56.201.16clouds.com. [144.168.56.201]) by smtp.gmail.com with ESMTPSA id x14sm15433458qtq.47.2021.03.03.04.27.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Mar 2021 04:27:10 -0800 (PST) From: Bin Meng To: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [RESEND PATCH v3 4/5] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is writable Date: Wed, 3 Mar 2021 20:26:38 +0800 Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210303122639.20004-1-bmeng.cn@gmail.com> References: <20210303122639.20004-1-bmeng.cn@gmail.com> MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::732; envelope-from=bmeng.cn@gmail.com; helo=mail-qk1-x732.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bin Meng , qemu-stable@nongnu.org, qemu-block@nongnu.org, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" The codes to limit the maximum block size is only necessary when SDHC_BLKSIZE register is writable. Signed-off-by: Bin Meng Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daudé --- (no changes since v2) Changes in v2: - new patch: sdhci: Limit block size only when SDHC_BLKSIZE register is writable hw/sd/sdhci.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 7a2003b28b..d0c8e293c0 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) if (!TRANSFERRING_DATA(s->prnsts)) { MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); - } - /* Limit block size to the maximum buffer size */ - if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { - qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " - "the maximum buffer 0x%x\n", __func__, s->blksize, - s->buf_maxsz); + /* Limit block size to the maximum buffer size */ + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " + "the maximum buffer 0x%x\n", __func__, s->blksize, + s->buf_maxsz); - s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); + } } break; From patchwork Wed Mar 3 12:26:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bin Meng X-Patchwork-Id: 12113351 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62364C433DB for ; Wed, 3 Mar 2021 12:30:01 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BCA4564EBD for ; Wed, 3 Mar 2021 12:30:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BCA4564EBD Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:58114 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHQdb-00081X-PJ for qemu-devel@archiver.kernel.org; Wed, 03 Mar 2021 07:29:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:37440) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHQb1-0003fe-7b; Wed, 03 Mar 2021 07:27:19 -0500 Received: from mail-qt1-x830.google.com ([2607:f8b0:4864:20::830]:41170) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lHQaz-0000iH-Bp; Wed, 03 Mar 2021 07:27:18 -0500 Received: by mail-qt1-x830.google.com with SMTP id r24so17278268qtt.8; Wed, 03 Mar 2021 04:27:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=4TXctM3Fn8bK0tRq+mSGwar6P0XRgVpVS0svruWa4hI=; b=FAitC34ROyNOKBetLcvmL8wFBMHUn6tRJlHSWS9Mizr3lOu8k/18iYMbDvqLV4ggO4 LG90DeQaie63NWeWHSh1ZeJI0hgiohGxby2SFu8YmnLV5vTdPQUcqFjFlecL1ywdNA/0 Itkff6ZeXMCjakWs3Yhabps+8nWRWEv4PrsHMU+pa85eRRF/Eg/uTuIi223B8n2uXmkR EbGpYsqlEAtjy6zAhDOJL9yZeg0JWA3RNPf8xbxhI8Mpy/xXkzPH/fCS2O5lYkurESkN K5RaAWL259v2q++zmTeaPa73zwC6KjbJqjwaUIo0SNpMD1x/8FFV59IgSArdaXQNftsH 7Tbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=4TXctM3Fn8bK0tRq+mSGwar6P0XRgVpVS0svruWa4hI=; b=kXPlBBJgSdL2h13csoWljm41uGOGhFYoqrOYS2mRsaDsO/jYTs3plVXZnA8EuCKpFO Eq+EZxGQzSodHoy7NY4AMmBydVOWwa1DK1RGm/K8uoO9JUcZ2y3l0UuCp5D+seehYnVl JZxYefo9wLgqHNMrWjRtZQKxcr6oELVxXkdrAnsmG6Ln/+F2Lh5mtvFyhSLFB9Er6gmZ /9HHs5SELAwsbtlx4kXxpRgFd+0x/FSbWPmugrAK6hNkjtU3Qgl8nt1k7Y7EcmSQWd+D i6C8nUplQ+2NB0jLOc8YU5du5JIHs3S2B5dqoRaz1aXnAJmpVMlqsZYi6gCkk83zmLzn RJcw== X-Gm-Message-State: AOAM530rvD3lXbsaByMRhjX91IoGiKC7XR8kmfBxXs12Kf4Fw5Kgx4MH lgTVn0ciF3HMoQ/JqPufKKQfQz5yHPE= X-Google-Smtp-Source: ABdhPJzgQ4RhMKmO5QcRRNg7Y7HmN44sAt8gOp1lbmNmuyrI34hYyHrpdWAWOPl6Ah4e/62fSrKC3A== X-Received: by 2002:ac8:44a8:: with SMTP id a8mr7241297qto.329.1614774435476; Wed, 03 Mar 2021 04:27:15 -0800 (PST) Received: from i9-aorus-gtx1080.localdomain (144.168.56.201.16clouds.com. [144.168.56.201]) by smtp.gmail.com with ESMTPSA id x14sm15433458qtq.47.2021.03.03.04.27.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Mar 2021 04:27:15 -0800 (PST) From: Bin Meng To: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [RESEND PATCH v3 5/5] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed Date: Wed, 3 Mar 2021 20:26:39 +0800 Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210303122639.20004-1-bmeng.cn@gmail.com> References: <20210303122639.20004-1-bmeng.cn@gmail.com> MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::830; envelope-from=bmeng.cn@gmail.com; helo=mail-qt1-x830.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bin Meng , qemu-stable@nongnu.org, qemu-block@nongnu.org, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" If the block size is programmed to a different value from the previous one, reset the data pointer of s->fifo_buffer[] so that s->fifo_buffer[] can be filled in using the new block size in the next transfer. With this fix, the following reproducer: outl 0xcf8 0x80001010 outl 0xcfc 0xe0000000 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0xe000002c 0x1 0x05 write 0xe0000005 0x1 0x02 write 0xe0000007 0x1 0x01 write 0xe0000028 0x1 0x10 write 0x0 0x1 0x23 write 0x2 0x1 0x08 write 0xe000000c 0x1 0x01 write 0xe000000e 0x1 0x20 write 0xe000000f 0x1 0x00 write 0xe000000c 0x1 0x32 write 0xe0000004 0x2 0x0200 write 0xe0000028 0x1 0x00 write 0xe0000003 0x1 0x40 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3 \ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ -device sd-card,drive=mydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 Signed-off-by: Bin Meng Tested-by: Alexander Bulekov --- (no changes since v2) Changes in v2: - new patch: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed hw/sd/sdhci.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index d0c8e293c0..5b8678110b 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) break; case SDHC_BLKSIZE: if (!TRANSFERRING_DATA(s->prnsts)) { + uint16_t blksize = s->blksize; + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); @@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); } + + /* + * If the block size is programmed to a different value from + * the previous one, reset the data pointer of s->fifo_buffer[] + * so that s->fifo_buffer[] can be filled in using the new block + * size in the next transfer. + */ + if (blksize != s->blksize) { + s->data_count = 0; + } } break;