On 16.02.2026 16:44, Michael Tokarev wrote:
On 2/13/26 17:43, Alexander Bulekov wrote:
On 260213 1205, Michael Tokarev wrote:
Ping once again?
FWIW, none of the reproducers in the thread work for me anymore and
OSS-Fuzz claims the issue was fixed sometime in April 2024:
https://issues.oss-fuzz.com/issues/42524205#comment5
ok. I bisected using the reproducer from
https://lore.kernel.org/qemu-devel/
caa8xkjxrms0fkr28akvnnpyatm0y0b+5fichpsrhd+mugnu...@mail.gmail.com/ -
and it looks like first, the invalid write were replaced with an
assertion failure after this commit, which is itself is a fix for
CVE-2024-3447:
commit 9e4b27ca6bf4974f169bbca7f3dca117b1208b6f (v9.0.0-rc2-64-g9e4b27ca6b)
Author: Philippe Mathieu-Daudé <[email protected]>
Date: Tue Apr 9 16:19:27 2024 +0200
hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set
https://gitlab.com/qemu-project/qemu/-/
commit/9e4b27ca6bf4974f169bbca7f3dca117b1208b6f
So yes, this is in Apr-24, and it is in v9.0.0.
After this commit, the invalid write has gone, instead, we started
hitting assertion failure in sdhci_write_dataport():
hw/sd/sdhci.c:565: sdhci_write_dataport: Assertion `s->data_count < s-
>buf_maxsz' failed.
next, in
commit ed5a159c3de48a581f46de4c8c02b4b295e6c52d (v9.1.0-rc0-80-ged5a159c3d)
Author: Philippe Mathieu-Daudé <[email protected]>
Date: Tue Jul 30 10:41:25 2024 +0200
hw/sd/sdhci: Reset @data_count index on invalid ADMA transfers
https://gitlab.com/qemu-project/qemu/-/commit/
ed5a159c3de48a581f46de4c8c02b4b295e6c52d
the assertion failure has gone for good, at least with this
reproducer.
(the first commit is v7.2.10-56-g2429cb7a9f in 7.2.x series,
second - v7.2.13-25-gfc2e706f4c).
So it looks like the issue has been fixed for good in v9.1.0
and v7.2.14.
Please take a look at the original bug report and the final
logic as per this message - does it look sane?
Hi! Can someone more knowlegeable in this area than me actually take
a look there please? Does this change actually fix the prob?
Thanks,
/mjt
