Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 4fbeddb088d886be3fb69ddb896df3142177d3df
https://github.com/qemu/qemu/commit/4fbeddb088d886be3fb69ddb896df3142177d3df
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M include/qemu/bswap.h
Log Message:
-----------
bswap: Add st24_be_p() to store 24 bits in big-endian order
Commit 14180d6221 ("bswap: Add the ability to store to an
unaligned 24 bit field") added st24_le_p() for little
endianness, add st24_be_p() equivalent for bit one.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
Commit: c2e857b4cac0186d4ba1521fcfeb9b5322831676
https://github.com/qemu/qemu/commit/c2e857b4cac0186d4ba1521fcfeb9b5322831676
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch
For multi-bytes commands, our implementation uses the @data_start
and @data_offset fields to track byte access. We initialize the
command start/offset in buffer once. Malicious guest might abuse
by switching command while staying in the 'transfer' state, switching
command buffer size, and our implementation can access out of buffer
boundary. For example, CMD17 (READ_SINGLE_BLOCK) allows to read up to
512 bytes, and CMD13 (SEND_STATUS) up to 64 bytes. By switching from
CMD17 to CMD13 (see reproducer below), bytes [64-511] are out of the
'status' buffer.
Our implementation return R0 status code for unexpected commands.
Such in-transaction command switch is unexpected and returns R0.
This is a good place to reset the start/offset fields to avoid
malicious accesses.
Can be reproduced running:
$ export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
$ cat << EOF | qemu-system-i386 \
-display none -nographic \
-machine accel=qtest -m 512M \
-nodefaults \
-device sdhci-pci,sd-spec-version=3 \
-device sd-card,drive=mydrive \
-drive
if=none,index=0,file=null-co://,format=raw,id=mydrive \
-qtest stdio -trace sd\* -trace -sdbus_read
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001004
outw 0xcfc 0x02
write 0xe000002c 0x1 0x05
write 0xe000000f 0x1 0x37
write 0xe000000a 0x1 0x01
write 0xe000000f 0x1 0x29
write 0xe000000f 0x1 0x02
write 0xe000000f 0x1 0x03
write 0xe000000c 0x1 0x32
write 0xe000000f 0x1 0x06
write 0xe0000005 0x1 0x01
write 0xe0000007 0x1 0x01
write 0xe0000003 0x1 0x00
write 0xe000000f 0x1 0x11
write 0xe000002a 0x1 0x01
write 0xe000002a 0x1 0x02
write 0xe000000f 0x1 0x0d
write 0xe000002a 0x1 0x01
write 0xe000002a 0x1 0x02
EOF
hw/sd/sd.c:1984:15: runtime error: index 256 out of bounds for type 'uint8_t
[64]'
#0 sd_read_byte hw/sd/sd.c:1984:15
#1 sdbus_read_data hw/sd/core.c:157:23
#2 sdhci_read_block_from_card hw/sd/sdhci.c:423:9
#3 sdhci_blkgap_write hw/sd/sdhci.c:1074:13
#4 sdhci_write hw/sd/sdhci.c:1195:13
#5 memory_region_write_accessor softmmu/memory.c:492:5
#6 access_with_adjusted_size softmmu/memory.c:554:18
#7 memory_region_dispatch_write softmmu/memory.c
#8 flatview_write_continue softmmu/physmem.c:2778:23
#9 flatview_write softmmu/physmem.c:2818:14
#10 address_space_write softmmu/physmem.c:2910:18
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hw/sd/sd.c:1984:15
Reported-by: Alexander Bulekov <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/487
Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36240
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Message-Id: <[email protected]>
Commit: 8d380565adf45fa456832d7e2cbbf7be359ebbd8
https://github.com/qemu/qemu/commit/8d380565adf45fa456832d7e2cbbf7be359ebbd8
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Correct code indentation
Fix mis-alignment from commits 793d04f495 and 6380cd2052
("Add sd_cmd_SEND_TUNING_BLOCK" and "Add sd_cmd_SET_BLOCK_COUNT").
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: d00e614f61e1a90ee905e783d3363752e63df8c0
https://github.com/qemu/qemu/commit/d00e614f61e1a90ee905e783d3363752e63df8c0
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Rewrite sd_cmd_ALL_SEND_CID using switch case (CMD2)
Keep this handler style in sync with other handlers by
using a switch() case, which might become handy to
handle other states.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 3dc5d349a32d741d3b432cc53f2ed518ff3c5f38
https://github.com/qemu/qemu/commit/3dc5d349a32d741d3b432cc53f2ed518ff3c5f38
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
M hw/sd/sdmmc-internal.c
Log Message:
-----------
hw/sd/sdcard: Fix typo in SEND_OP_COND command name
There is no SEND_OP_CMD but SEND_OP_COND.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: f17fb69c55c7020b90cc1a9eaefe716902a5bc0e
https://github.com/qemu/qemu/commit/f17fb69c55c7020b90cc1a9eaefe716902a5bc0e
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Use HWBLOCK_SHIFT definition instead of magic values
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 904547845c559d7530a20792d599a77d8e2ae442
https://github.com/qemu/qemu/commit/904547845c559d7530a20792d599a77d8e2ae442
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Use registerfield CSR::CURRENT_STATE definition
Use registerfield-generated definitions to update card_status.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: eac7ce3de78ee96c3e2b3eb2678682e44078bcdf
https://github.com/qemu/qemu/commit/eac7ce3de78ee96c3e2b3eb2678682e44078bcdf
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Use Load/Store API to fill some CID/CSD registers
The ld/st API helps noticing CID or CSD bytes refer
to the same field. Multi-bytes fields are stored MSB
first in CID / CSD.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 3b87fff1cd34a1f7cbf2884e615cfd69c28c8ef2
https://github.com/qemu/qemu/commit/3b87fff1cd34a1f7cbf2884e615cfd69c28c8ef2
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Remove ACMD6 handler for SPI mode
There is no ACMD6 command in SPI mode, remove the pointless
handler introduced in commit 946897ce18 ("sdcard: handles
more commands in SPI mode"). Keep sd_cmd_unimplemented()
since we'll reuse it later.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 913638464c5cc244545af0a7f2a1c32c5780d6a4
https://github.com/qemu/qemu/commit/913638464c5cc244545af0a7f2a1c32c5780d6a4
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Remove explicit entries for illegal commands
NULL handler is already handled as illegal, no need to
duplicate (that keeps this array simpler to maintain).
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 0e93b3b30b29b3e23eabf5ba759315cece761a9c
https://github.com/qemu/qemu/commit/0e93b3b30b29b3e23eabf5ba759315cece761a9c
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
M hw/sd/trace-events
Log Message:
-----------
hw/sd/sdcard: Trace update of block count (CMD23)
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: eded0d1a485f3e6279142b88edf444e5e764c9a6
https://github.com/qemu/qemu/commit/eded0d1a485f3e6279142b88edf444e5e764c9a6
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Have cmd_valid_while_locked() return a boolean value
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 0ab318ca3c0b370ff82e9fabf80633cc93d0574e
https://github.com/qemu/qemu/commit/0ab318ca3c0b370ff82e9fabf80633cc93d0574e
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Factor sd_req_get_rca() method out
Extract sd_req_get_rca() so we can re-use it in various
SDProto handlers. Return a 16-bit value since RCA is 16-bit.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 4a829730c85a8e44f142aeca6c95b8b07742c96b
https://github.com/qemu/qemu/commit/4a829730c85a8e44f142aeca6c95b8b07742c96b
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Only call sd_req_get_rca() where RCA is used
It will be useful later to assert only AC commands
(Addressed point-to-point Commands, defined as the
'sd_ac' enum) extract the RCA value from the command
argument.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 8b91a5613ca1520286b7c3ffe19ebecf144c781a
https://github.com/qemu/qemu/commit/8b91a5613ca1520286b7c3ffe19ebecf144c781a
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Factor sd_req_get_address() method out
Extract sd_cmd_get_address() so we can re-use it
in various SDProto handlers. Use CARD_CAPACITY and
HWBLOCK_SHIFT definitions instead of magic values.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 6a226b2cab40f9d40be5de59230d80d9aa11bc42
https://github.com/qemu/qemu/commit/6a226b2cab40f9d40be5de59230d80d9aa11bc42
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Only call sd_req_get_address() where address is used
It will be useful later to assert only ADTC commands
(Addressed point-to-point Data Transfer Commands, defined
as the 'sd_adtc' enum) extract the address value from the
command argument.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 9ee9292b75fcce4c32ebfe009c950d8437a267f2
https://github.com/qemu/qemu/commit/9ee9292b75fcce4c32ebfe009c950d8437a267f2
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Add sd_invalid_mode_for_cmd to report invalid mode switch
Having the mode switch displayed help to track incomplete
command implementations.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: cd44ccee18e2a8856f7ddc0b00bbc40dfa9fd5d5
https://github.com/qemu/qemu/commit/cd44ccee18e2a8856f7ddc0b00bbc40dfa9fd5d5
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Inline BLK_READ_BLOCK / BLK_WRITE_BLOCK macros
These macros only save 3 chars and make the code harder
to maintain, simply remove them.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 76ae9a231487a2b127c90bcb657fd42a1f6c06f8
https://github.com/qemu/qemu/commit/76ae9a231487a2b127c90bcb657fd42a1f6c06f8
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Add comments around registers and commands
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Tested-by: Cédric Le Goater <[email protected]>
Message-Id: <[email protected]>
Commit: 78c236a9edbef8f1d7652b47184a9cd173cea73d
https://github.com/qemu/qemu/commit/78c236a9edbef8f1d7652b47184a9cd173cea73d
Author: Richard Henderson <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M hw/sd/sd.c
M hw/sd/sdmmc-internal.c
M hw/sd/trace-events
M include/qemu/bswap.h
Log Message:
-----------
Merge tag 'sdmmc-20240624' of https://github.com/philmd/qemu into staging
SD/MMC patches queue
One fix and various cleanups for the SD card model.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmZ5cRUACgkQ4+MsLN6t
# wN59Qw//cUdjD287pB5Ml5aQqr9sOTyVnHUceZtz7AOZ5w8RM2tlPDgOImeLOvU6
# OV7qfWvNaUxtQxhfh5jpe8Pj4eHBtRQzA6a1AWToEvnN4189QWHZpqf5TUa4AlFS
# uAk7k2TkoNv9zbNKca0bP3L1x6sT9l0VPZBLaLbgdXDIX2ycD0r3NVQxXb/bJRgM
# 6pFRcLCF/isKzLQDwqnTa11hB/JDTvOU7xnY0kazGRvyWjbSvE2sOJzLNJXHkW0I
# /FNfRbOKJo2t+47Z5qSXUFFLeIEBTy7VqNBsOQ6sMIgrWzbOSrtBcuxKp0p9NCGH
# fdZHlDVRnNGXewUya4RjbmXiCNuGL4zJ82b2BaQZVd5ZwU2opIr8xO96WCojQ4dZ
# +Dq3uv7su3PUVOh95i38Eo93OG9jXFx642XD4q2uKu5j70IoGXAkIoLUcFkZZdGS
# 9rCsaNUHyHJrN6nXf3Cekvkqxz36p6QXaUF9I1vB0JF6CrexMD35sBUK+RE9k4uW
# LnqL7ZwQDGDGVl3kPS/VCXv1mMim4aRLSEIveq7Ui6dKzaaJMIIodZ8CFMuyTTsD
# cGE+Cd053nf6SzX3+kEZftNdjtJ906O8xIAw+RNdARYx003l4kUxgsPDk7ELyzIP
# Tb+VlZl2P+ROJmeWvRMTW7ZQ49M9IEMrg8zlGF4hLCxB1JndeOA=
# =O5er
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 24 Jun 2024 06:13:57 AM PDT
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <[email protected]>"
[full]
* tag 'sdmmc-20240624' of https://github.com/philmd/qemu:
hw/sd/sdcard: Add comments around registers and commands
hw/sd/sdcard: Inline BLK_READ_BLOCK / BLK_WRITE_BLOCK macros
hw/sd/sdcard: Add sd_invalid_mode_for_cmd to report invalid mode switch
hw/sd/sdcard: Only call sd_req_get_address() where address is used
hw/sd/sdcard: Factor sd_req_get_address() method out
hw/sd/sdcard: Only call sd_req_get_rca() where RCA is used
hw/sd/sdcard: Factor sd_req_get_rca() method out
hw/sd/sdcard: Have cmd_valid_while_locked() return a boolean value
hw/sd/sdcard: Trace update of block count (CMD23)
hw/sd/sdcard: Remove explicit entries for illegal commands
hw/sd/sdcard: Remove ACMD6 handler for SPI mode
hw/sd/sdcard: Use Load/Store API to fill some CID/CSD registers
hw/sd/sdcard: Use registerfield CSR::CURRENT_STATE definition
hw/sd/sdcard: Use HWBLOCK_SHIFT definition instead of magic values
hw/sd/sdcard: Fix typo in SEND_OP_COND command name
hw/sd/sdcard: Rewrite sd_cmd_ALL_SEND_CID using switch case (CMD2)
hw/sd/sdcard: Correct code indentation
hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch
bswap: Add st24_be_p() to store 24 bits in big-endian order
Signed-off-by: Richard Henderson <[email protected]>
Compare: https://github.com/qemu/qemu/compare/e2bc7787c8dc...78c236a9edbe
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
