Philippe Mathieu-Daudé 59b63d78be hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) ... OSS-Fuzz found sending illegal addresses when querying the write protection bits triggers an assertion: qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed. ==11578== ERROR: libFuzzer: deadly signal #8 0x7ffff628e091 in __assert_fail #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9 #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38 #11 0x5555588d777c in sd_do_command hw/sd/sd.c #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c💯16 #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12 #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9 #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5 Similarly to commit 8573378e62 ("hw/sd: fix out-of-bounds check for multi block reads"), check the address range before sending the status of the write protection bits. Include the qtest reproducer provided by Alexander Bulekov: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed. Reported-by: OSS-Fuzz (Issue 29225) Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20210702155900.148665-4-f4bug@amsat.org>		2021-07-12 12:27:38 +02:00
..
acceptance	MIPS patches queue	2021-07-04 14:04:12 +01:00
bench	tests: Move benchmarks into a separate folder	2021-03-12 15:46:30 +01:00
data	tests: acpi: pc: update expected DSDT blobs	2021-07-03 03:12:35 -04:00
decode	decodetree: Extend argument set syntax to allow types	2021-05-01 11:45:35 -07:00
docker	tcg: Build ffi data structures for helpers	2021-06-19 08:51:11 -07:00
fp	tests/fp: Enable more tests	2021-06-03 14:09:03 -07:00
guest-debug	chardev: do not use short form boolean options in non-QemuOpts character device descriptions	2021-02-25 15:41:53 +01:00
image-fuzzer	image-fuzzer: Use OSerror.strerror instead of tuple subscript	2019-11-05 16:36:11 +01:00
include	tests: add missing generated sources to testqapi	2020-10-17 10:45:50 -04:00
keys	tests/vm: Add Haiku test based on their vagrant images	2020-11-17 09:45:24 +01:00
migration	tests/migration: fix "downtime_limit" type when "migrate-set-parameters"	2021-07-05 10:51:26 +01:00
multiboot	Remove superfluous .gitignore files	2020-10-13 12:48:17 +02:00
perf/block/qcow2	tests/perf: Test lseek influence on qcow2 block-status	2019-06-04 15:20:41 +02:00
plugin	plugins/syscall: Added a table-like summary output	2021-05-25 16:52:50 +01:00
qapi-schema	docs: fix references to docs/devel/build-system.rst	2021-06-02 06:51:09 +02:00
qemu-iotests	Block layer patches	2021-07-10 19:55:21 +01:00
qtest	hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)	2021-07-12 12:27:38 +02:00
rocker
tcg	tests/tcg: generalise the disabling of the signals test	2021-07-08 14:05:51 +01:00
tsan	tests/docker: Added docker build support for TSan.	2020-06-16 14:49:05 +01:00
uefi-test-tools	Remove superfluous .gitignore files	2020-10-13 12:48:17 +02:00
unit	Pull request	2021-07-08 22:17:28 +01:00
vm	tests/vm: expose --source-path to scripts to find extra files	2021-06-07 14:42:47 +01:00
vmstate-static-checker-data	hw: Replace anti-social QOM type names	2021-03-19 15:18:43 +01:00
check-block.sh	iotests: rewrite check into python	2021-01-27 20:53:14 +01:00
dbus-vmstate-daemon.sh	tests: add dbus-vmstate-test	2020-01-06 18:41:32 +04:00
Makefile.include	configs: rename default-configs to configs and reorganise	2021-07-09 18:21:34 +02:00
meson.build	tests: Move benchmarks into a separate folder	2021-03-12 15:46:30 +01:00
requirements.txt	acceptance tests: bump Avocado version to 88.1	2021-06-01 16:21:21 -04:00
test-qht-par.c
vhost-user-bridge.c	libvhost-user: make it a meson subproject	2020-12-08 13:48:58 -05:00