Re: [PULL 1/1] hw/ufs: Fix buffer overflow bug
On 30/04/2024 06.32, Thomas Huth wrote:
On 30/04/2024 02.17, Richard Henderson wrote:
On 4/28/24 20:25, Jeuk Kim wrote:
From: Jeuk Kim
It fixes the buffer overflow vulnerability in the ufs device.
The bug was detected by sanitizers.
You can reproduce it by:
cat << EOF |\
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \
file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \
ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
outl 0xcf8 0x8810
outl 0xcfc 0xe000
outl 0xcf8 0x8804
outw 0xcfc 0x06
write 0xe058 0x1 0xa7
write 0xa 0x1 0x50
EOF
Resolves: #2299
Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")
Reported-by: Zheyu Ma
Signed-off-by: Jeuk Kim
---
hw/ufs/ufs.c | 8
1 file changed, 8 insertions(+)
For some reason this appears to cause failures on s390x:
https://gitlab.com/qemu-project/qemu/-/jobs/6740883283
All of the timeouts are new with this patch alone applied,
and go away when reverted.
I wasn't aware that these tests used ufs, but I have no
other explanation...
I don't know for sure, but the test failure might instead be related to the
problem that gets fixed by
https://lore.kernel.org/qemu-devel/20240429075908.36302-1-th...@redhat.com/
... I'm preparing a pull request for that fix right now, so maybe you could
try this ufs pull request afterwards again to see whether the problem is fixed?
Hmm, thinking about it twice, it cannot be the reason: That bug affects
aarch64/arm only, and in above CI run, some other targets were failing. So
the problem must be something else, indeed.
Thomas
Re: [PULL 1/1] hw/ufs: Fix buffer overflow bug
On 30/04/2024 02.17, Richard Henderson wrote:
On 4/28/24 20:25, Jeuk Kim wrote:
From: Jeuk Kim
It fixes the buffer overflow vulnerability in the ufs device.
The bug was detected by sanitizers.
You can reproduce it by:
cat << EOF |\
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \
file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \
ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
outl 0xcf8 0x8810
outl 0xcfc 0xe000
outl 0xcf8 0x8804
outw 0xcfc 0x06
write 0xe058 0x1 0xa7
write 0xa 0x1 0x50
EOF
Resolves: #2299
Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")
Reported-by: Zheyu Ma
Signed-off-by: Jeuk Kim
---
hw/ufs/ufs.c | 8
1 file changed, 8 insertions(+)
For some reason this appears to cause failures on s390x:
https://gitlab.com/qemu-project/qemu/-/jobs/6740883283
All of the timeouts are new with this patch alone applied,
and go away when reverted.
I wasn't aware that these tests used ufs, but I have no
other explanation...
I don't know for sure, but the test failure might instead be related to the
problem that gets fixed by
https://lore.kernel.org/qemu-devel/20240429075908.36302-1-th...@redhat.com/
... I'm preparing a pull request for that fix right now, so maybe you could
try this ufs pull request afterwards again to see whether the problem is fixed?
Thomas
Re: [PULL 1/1] hw/ufs: Fix buffer overflow bug
On 4/28/24 20:25, Jeuk Kim wrote:
From: Jeuk Kim
It fixes the buffer overflow vulnerability in the ufs device.
The bug was detected by sanitizers.
You can reproduce it by:
cat << EOF |\
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \
file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \
ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
outl 0xcf8 0x8810
outl 0xcfc 0xe000
outl 0xcf8 0x8804
outw 0xcfc 0x06
write 0xe058 0x1 0xa7
write 0xa 0x1 0x50
EOF
Resolves: #2299
Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")
Reported-by: Zheyu Ma
Signed-off-by: Jeuk Kim
---
hw/ufs/ufs.c | 8
1 file changed, 8 insertions(+)
For some reason this appears to cause failures on s390x:
https://gitlab.com/qemu-project/qemu/-/jobs/6740883283
All of the timeouts are new with this patch alone applied,
and go away when reverted.
I wasn't aware that these tests used ufs, but I have no
other explanation...
r~
[PULL 1/1] hw/ufs: Fix buffer overflow bug
From: Jeuk Kim
It fixes the buffer overflow vulnerability in the ufs device.
The bug was detected by sanitizers.
You can reproduce it by:
cat << EOF |\
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \
file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \
ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
outl 0xcf8 0x8810
outl 0xcfc 0xe000
outl 0xcf8 0x8804
outw 0xcfc 0x06
write 0xe058 0x1 0xa7
write 0xa 0x1 0x50
EOF
Resolves: #2299
Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")
Reported-by: Zheyu Ma
Signed-off-by: Jeuk Kim
Signed-off-by: Stefan Hajnoczi
Message-ID:
---
hw/ufs/ufs.c | 8
1 file changed, 8 insertions(+)
diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
index eccdb852a0..bac78a32bb 100644
--- a/hw/ufs/ufs.c
+++ b/hw/ufs/ufs.c
@@ -126,6 +126,10 @@ static MemTxResult ufs_dma_read_req_upiu(UfsRequest *req)
copy_size = sizeof(UtpUpiuHeader) + UFS_TRANSACTION_SPECIFIC_FIELD_SIZE +
data_segment_length;
+if (copy_size > sizeof(req->req_upiu)) {
+copy_size = sizeof(req->req_upiu);
+}
+
ret = ufs_addr_read(u, req_upiu_base_addr, >req_upiu, copy_size);
if (ret) {
trace_ufs_err_dma_read_req_upiu(req->slot, req_upiu_base_addr);
@@ -225,6 +229,10 @@ static MemTxResult ufs_dma_write_rsp_upiu(UfsRequest *req)
copy_size = rsp_upiu_byte_len;
}
+if (copy_size > sizeof(req->rsp_upiu)) {
+copy_size = sizeof(req->rsp_upiu);
+}
+
ret = ufs_addr_write(u, rsp_upiu_base_addr, >rsp_upiu, copy_size);
if (ret) {
trace_ufs_err_dma_write_rsp_upiu(req->slot, rsp_upiu_base_addr);
--
2.44.0
Re: [PULL 1/1] hw/ufs: Fix buffer overflow bug
29.04.2024 06:25, Jeuk Kim wrote:
From: Jeuk Kim
It fixes the buffer overflow vulnerability in the ufs device.
The bug was detected by sanitizers.
...
Resolves: #2299
Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")
Reported-by: Zheyu Ma
Signed-off-by: Jeuk Kim
Cc: qemu-stable@ for 8.2 and 9.0 series.
Please do not forget to Cc qemu-stable@ for relevant changes.
Thanks,
/mjt
[PULL 1/1] hw/ufs: Fix buffer overflow bug
From: Jeuk Kim
It fixes the buffer overflow vulnerability in the ufs device.
The bug was detected by sanitizers.
You can reproduce it by:
cat << EOF |\
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \
file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \
ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
outl 0xcf8 0x8810
outl 0xcfc 0xe000
outl 0xcf8 0x8804
outw 0xcfc 0x06
write 0xe058 0x1 0xa7
write 0xa 0x1 0x50
EOF
Resolves: #2299
Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")
Reported-by: Zheyu Ma
Signed-off-by: Jeuk Kim
---
hw/ufs/ufs.c | 8
1 file changed, 8 insertions(+)
diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
index eccdb852a0..bac78a32bb 100644
--- a/hw/ufs/ufs.c
+++ b/hw/ufs/ufs.c
@@ -126,6 +126,10 @@ static MemTxResult ufs_dma_read_req_upiu(UfsRequest *req)
copy_size = sizeof(UtpUpiuHeader) + UFS_TRANSACTION_SPECIFIC_FIELD_SIZE +
data_segment_length;
+if (copy_size > sizeof(req->req_upiu)) {
+copy_size = sizeof(req->req_upiu);
+}
+
ret = ufs_addr_read(u, req_upiu_base_addr, >req_upiu, copy_size);
if (ret) {
trace_ufs_err_dma_read_req_upiu(req->slot, req_upiu_base_addr);
@@ -225,6 +229,10 @@ static MemTxResult ufs_dma_write_rsp_upiu(UfsRequest *req)
copy_size = rsp_upiu_byte_len;
}
+if (copy_size > sizeof(req->rsp_upiu)) {
+copy_size = sizeof(req->rsp_upiu);
+}
+
ret = ufs_addr_write(u, rsp_upiu_base_addr, >rsp_upiu, copy_size);
if (ret) {
trace_ufs_err_dma_write_rsp_upiu(req->slot, rsp_upiu_base_addr);
--
2.34.1
