Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210712' into staging

SD/MMC patches queue - sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) # gpg: Signature made Mon 12 Jul 2021 11:28:13 BST # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full] # Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE * remotes/philmd/tags/sdmmc-20210712: hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) hw/sd/sdcard: Extract address_in_range() helper, log invalid accesses hw/sd/sdcard: When card is in wrong state, log which state it is Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
author: Peter Maydell 2021-07-12 22:22:27 +0200
committer: Peter Maydell 2021-07-12 22:22:27 +0200
commit: eca73713358f7abb18f15c026ff4267b51746992 (patch)
tree: 67b50beb36b28cb93bd85174581bbfbbb374bc59 /hw
parent: Merge remote-tracking branch 'remotes/cohuck-gitlab/tags/s390x-20210708' into... (diff)
parent: hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) (diff)
download: qemu-eca73713358f7abb18f15c026ff4267b51746992.tar.gz
qemu-eca73713358f7abb18f15c026ff4267b51746992.tar.xz
qemu-eca73713358f7abb18f15c026ff4267b51746992.zip
1 files changed, 28 insertions, 13 deletions
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 282d39a704..1f964e022b 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -937,6 +937,19 @@ static void sd_lock_command(SDState *sd)
         sd->card_status &= ~CARD_IS_LOCKED;
 }
 
+static bool address_in_range(SDState *sd, const char *desc,
+                             uint64_t addr, uint32_t length)
+{
+    if (addr + length > sd->size) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
+                      desc, addr, sd->size, length);
+        sd->card_status |= ADDRESS_ERROR;
+        return false;
+    }
+    return true;
+}
+
 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 {
     uint32_t rca = 0x0000;
@@ -1218,8 +1231,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
         switch (sd->state) {
         case sd_transfer_state:
 
-            if (addr + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
                 return sd_r1;
             }
 
@@ -1264,8 +1276,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
         switch (sd->state) {
         case sd_transfer_state:
 
-            if (addr + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
                 return sd_r1;
             }
 
@@ -1325,8 +1336,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 
         switch (sd->state) {
         case sd_transfer_state:
-            if (addr >= sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
                 return sd_r1b;
             }
 
@@ -1348,8 +1358,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 
         switch (sd->state) {
         case sd_transfer_state:
-            if (addr >= sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
                 return sd_r1b;
             }
 
@@ -1371,6 +1380,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 
         switch (sd->state) {
         case sd_transfer_state:
+            if (!address_in_range(sd, "SEND_WRITE_PROT",
+                                  req.arg, sd->blk_len)) {
+                return sd_r1;
+            }
+
             sd->state = sd_sendingdata_state;
             *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
             sd->data_start = addr;
@@ -1504,7 +1518,8 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
         return sd_illegal;
     }
 
-    qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
+    qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n",
+                  req.cmd, sd_state_name(sd->state));
     return sd_illegal;
 }
 
@@ -1825,8 +1840,8 @@ void sd_write_byte(SDState *sd, uint8_t value)
     case 25:	/* CMD25:  WRITE_MULTIPLE_BLOCK */
         if (sd->data_offset == 0) {
             /* Start of the block - let's check the address is valid */
-            if (sd->data_start + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
+                                  sd->data_start, sd->blk_len)) {
                 break;
             }
             if (sd->size <= SDSC_MAX_CAPACITY) {
@@ -1998,8 +2013,8 @@ uint8_t sd_read_byte(SDState *sd)
 
     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
         if (sd->data_offset == 0) {
-            if (sd->data_start + io_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
+            if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
+                                  sd->data_start, io_len)) {
                 return 0x00;
             }
             BLK_READ_BLOCK(sd->data_start, io_len);
author	Peter Maydell	2021-07-12 22:22:27 +0200
committer	Peter Maydell	2021-07-12 22:22:27 +0200
commit	eca73713358f7abb18f15c026ff4267b51746992 (patch)
tree	67b50beb36b28cb93bd85174581bbfbbb374bc59 /hw
parent	Merge remote-tracking branch 'remotes/cohuck-gitlab/tags/s390x-20210708' into... (diff)
parent	hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) (diff)
download	qemu-eca73713358f7abb18f15c026ff4267b51746992.tar.gz qemu-eca73713358f7abb18f15c026ff4267b51746992.tar.xz qemu-eca73713358f7abb18f15c026ff4267b51746992.zip