Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409
On 210216 0855, Bin Meng wrote: > Hi Alex, > > On Tue, Feb 16, 2021 at 12:48 AM Alexander Bulekov wrote: > > > > Hi Bin, > > Thank you for this. I ran through the OSS-Fuzz tests again, and it found > > one thing: > > Thanks for testing. Are there instructions to run OSS-Fuzz tests myself? Yes we have some documentation in docs/devel/fuzzing.rst, but it doesn't talk about using the OSS-Fuzz corpus. The OSS-Fuzz corpus is private, by default, but I uploaded a copy of the current sdhci corpus here: https://drive.google.com/file/d/1PcwFbY9YXPdaJ3aapIV2BI-bN5mbBgif/view?usp=sharing To build the fuzzer, you need clang: build the fuzzers $ CC=clang CXX=clang++ ../configure --enable-fuzzing --enable-sanitizers \ --disable-werror $ ninja -j`nproc` qemu-fuzz-i386 untar the corpus somewhere (~300 MB uncompressed) $ tar -xvf sdhci-corpus.tar.gz run through all the inputs once $ ./qemu-fuzz-i386 --fuzz-target=generic-fuzz-sdhci-v3 \ ~/path/to/corpus/qemu_qemu-fuzz-i386-target-generic-fuzz-sdhci-v3/* &> out That will take some minutes, but you can look at the out file and search for "ERROR" to find crashing inputs. -Alex > > > Maybe this is already much better than the current state of the code, so > > this one can be fixed in a later patch? > > Depend on when Philippe can pick up this sereis, but I can also try to > have a quick look :) > > > > > cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \ > > -m 512M -nodefaults -device sdhci-pci,sd-spec-version=3 \ > > -device sd-card,drive=mydrive \ > > -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ > > -nographic -qtest stdio > > outl 0xcf8 0x80001010 > > outl 0xcfc 0xe000 > > outl 0xcf8 0x80001001 > > outl 0xcfc 0x0600 > > write 0xe02c 0x1 0x05 > > write 0xe005 0x1 0x02 > > write 0xe007 0x1 0x01 > > write 0xe028 0x1 0x10 > > write 0x0 0x1 0x23 > > write 0x2 0x1 0x08 > > write 0xe00c 0x1 0x01 > > write 0xe00e 0x1 0x20 > > write 0xe00f 0x1 0x00 > > write 0xe00c 0x1 0x32 > > write 0xe004 0x2 0x0200 > > write 0xe028 0x1 0x00 > > write 0xe003 0x1 0x40 > > EOF > > > > > > ==1730971==ERROR: AddressSanitizer: heap-buffer-overflow on address > > 0x61531880 at pc 0x55d070f2c6d9 bp 0x7ffdcb63f130 sp 0x7ffdcb63f128 > > READ of size 4 at 0x61531880 thread T0 > > #0 0x55d070f2c6d8 in ldl_he_p bswap.h:347:5 > > #1 0x55d070f2c6d8 in ldn_he_p bswap.h:546:1 > > #2 0x55d070f2c6d8 in flatview_write_continue > > build/../softmmu/physmem.c:2775:19 > > #3 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14 > > #4 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18 > > #5 0x55d07040de4a in dma_memory_rw_relaxed include/sysemu/dma.h:88:12 > > #6 0x55d07040de4a in dma_memory_rw include/sysemu/dma.h:127:12 > > #7 0x55d07040de4a in dma_memory_write include/sysemu/dma.h:163:12 > > #8 0x55d07040de4a in sdhci_sdma_transfer_multi_blocks > > build/../hw/sd/sdhci.c:619:13 > > #9 0x55d07041d15b in sdhci_write build/../hw/sd/sdhci.c:1134:21 > > #10 0x55d07123b1ac in memory_region_write_accessor > > build/../softmmu/memory.c:491:5 > > #11 0x55d07123acab in access_with_adjusted_size > > build/../softmmu/memory.c:552:18 > > #12 0x55d07123a4b0 in memory_region_dispatch_write build/../softmmu/memory.c > > #13 0x55d070f2c29b in flatview_write_continue > > build/../softmmu/physmem.c:2776:23 > > #14 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14 > > #15 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18 > > Regards, > Bin
Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409
Hi Alex, On Tue, Feb 16, 2021 at 12:48 AM Alexander Bulekov wrote: > > Hi Bin, > Thank you for this. I ran through the OSS-Fuzz tests again, and it found > one thing: Thanks for testing. Are there instructions to run OSS-Fuzz tests myself? > Maybe this is already much better than the current state of the code, so > this one can be fixed in a later patch? Depend on when Philippe can pick up this sereis, but I can also try to have a quick look :) > > cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \ > -m 512M -nodefaults -device sdhci-pci,sd-spec-version=3 \ > -device sd-card,drive=mydrive \ > -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ > -nographic -qtest stdio > outl 0xcf8 0x80001010 > outl 0xcfc 0xe000 > outl 0xcf8 0x80001001 > outl 0xcfc 0x0600 > write 0xe02c 0x1 0x05 > write 0xe005 0x1 0x02 > write 0xe007 0x1 0x01 > write 0xe028 0x1 0x10 > write 0x0 0x1 0x23 > write 0x2 0x1 0x08 > write 0xe00c 0x1 0x01 > write 0xe00e 0x1 0x20 > write 0xe00f 0x1 0x00 > write 0xe00c 0x1 0x32 > write 0xe004 0x2 0x0200 > write 0xe028 0x1 0x00 > write 0xe003 0x1 0x40 > EOF > > > ==1730971==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x61531880 at pc 0x55d070f2c6d9 bp 0x7ffdcb63f130 sp 0x7ffdcb63f128 > READ of size 4 at 0x61531880 thread T0 > #0 0x55d070f2c6d8 in ldl_he_p bswap.h:347:5 > #1 0x55d070f2c6d8 in ldn_he_p bswap.h:546:1 > #2 0x55d070f2c6d8 in flatview_write_continue > build/../softmmu/physmem.c:2775:19 > #3 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14 > #4 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18 > #5 0x55d07040de4a in dma_memory_rw_relaxed include/sysemu/dma.h:88:12 > #6 0x55d07040de4a in dma_memory_rw include/sysemu/dma.h:127:12 > #7 0x55d07040de4a in dma_memory_write include/sysemu/dma.h:163:12 > #8 0x55d07040de4a in sdhci_sdma_transfer_multi_blocks > build/../hw/sd/sdhci.c:619:13 > #9 0x55d07041d15b in sdhci_write build/../hw/sd/sdhci.c:1134:21 > #10 0x55d07123b1ac in memory_region_write_accessor > build/../softmmu/memory.c:491:5 > #11 0x55d07123acab in access_with_adjusted_size > build/../softmmu/memory.c:552:18 > #12 0x55d07123a4b0 in memory_region_dispatch_write build/../softmmu/memory.c > #13 0x55d070f2c29b in flatview_write_continue > build/../softmmu/physmem.c:2776:23 > #14 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14 > #15 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18 Regards, Bin
Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409
Hi Bin, Thank you for this. I ran through the OSS-Fuzz tests again, and it found one thing: Maybe this is already much better than the current state of the code, so this one can be fixed in a later patch? cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \ -m 512M -nodefaults -device sdhci-pci,sd-spec-version=3 \ -device sd-card,drive=mydrive \ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ -nographic -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xe000 outl 0xcf8 0x80001001 outl 0xcfc 0x0600 write 0xe02c 0x1 0x05 write 0xe005 0x1 0x02 write 0xe007 0x1 0x01 write 0xe028 0x1 0x10 write 0x0 0x1 0x23 write 0x2 0x1 0x08 write 0xe00c 0x1 0x01 write 0xe00e 0x1 0x20 write 0xe00f 0x1 0x00 write 0xe00c 0x1 0x32 write 0xe004 0x2 0x0200 write 0xe028 0x1 0x00 write 0xe003 0x1 0x40 EOF ==1730971==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61531880 at pc 0x55d070f2c6d9 bp 0x7ffdcb63f130 sp 0x7ffdcb63f128 READ of size 4 at 0x61531880 thread T0 #0 0x55d070f2c6d8 in ldl_he_p bswap.h:347:5 #1 0x55d070f2c6d8 in ldn_he_p bswap.h:546:1 #2 0x55d070f2c6d8 in flatview_write_continue build/../softmmu/physmem.c:2775:19 #3 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14 #4 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18 #5 0x55d07040de4a in dma_memory_rw_relaxed include/sysemu/dma.h:88:12 #6 0x55d07040de4a in dma_memory_rw include/sysemu/dma.h:127:12 #7 0x55d07040de4a in dma_memory_write include/sysemu/dma.h:163:12 #8 0x55d07040de4a in sdhci_sdma_transfer_multi_blocks build/../hw/sd/sdhci.c:619:13 #9 0x55d07041d15b in sdhci_write build/../hw/sd/sdhci.c:1134:21 #10 0x55d07123b1ac in memory_region_write_accessor build/../softmmu/memory.c:491:5 #11 0x55d07123acab in access_with_adjusted_size build/../softmmu/memory.c:552:18 #12 0x55d07123a4b0 in memory_region_dispatch_write build/../softmmu/memory.c #13 0x55d070f2c29b in flatview_write_continue build/../softmmu/physmem.c:2776:23 #14 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14 #15 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18 -Alex On 210215 2311, Bin Meng wrote: > From: Bin Meng > > This series includes several fixes to CVE-2020-17380, CVE-2020-25085 > and CVE-2021-3409 that are heap-based buffer overflow issues existing > in the sdhci model. > > These CVEs are pretty much similar, and were filed using different > reproducers. With this series, current known reproducers I have > cannot be reproduced any more. > > The implementation of this model may still have some issues, i.e.: > some codes do not strictly match the spec, but since this series > only aimes to address CVEs, such issue should be fixed in a separate > series in the future, if I have time :) > > > Bin Meng (4): > hw/sd: sdhci: Don't transfer any data when command time out > hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in > progress > hw/sd: sdhci: Correctly set the controller status for ADMA > hw/sd: sdhci: Simplify updating s->prnsts in > sdhci_sdma_transfer_multi_blocks() > > hw/sd/sdhci.c | 34 -- > 1 file changed, 20 insertions(+), 14 deletions(-) > > -- > 2.7.4 >
[PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409
From: Bin Meng This series includes several fixes to CVE-2020-17380, CVE-2020-25085 and CVE-2021-3409 that are heap-based buffer overflow issues existing in the sdhci model. These CVEs are pretty much similar, and were filed using different reproducers. With this series, current known reproducers I have cannot be reproduced any more. The implementation of this model may still have some issues, i.e.: some codes do not strictly match the spec, but since this series only aimes to address CVEs, such issue should be fixed in a separate series in the future, if I have time :) Bin Meng (4): hw/sd: sdhci: Don't transfer any data when command time out hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress hw/sd: sdhci: Correctly set the controller status for ADMA hw/sd: sdhci: Simplify updating s->prnsts in sdhci_sdma_transfer_multi_blocks() hw/sd/sdhci.c | 34 -- 1 file changed, 20 insertions(+), 14 deletions(-) -- 2.7.4
