Instead of accessing a device with an invalid short size, return MEMTX_ERROR to indicate the transaction failed (as the device won't accept the transaction anyway).
Reported by libFuzzer. sdhci_sdma_transfer_multi_blocks() ends calling dma_memory_rw() with size < 4, while the DMA MMIO regions are restricted to 32-bit accesses: qemu-fuzz-arm: hw/dma/bcm2835_dma.c:153: uint64_t bcm2835_dma_read(BCM2835DMAState *, hwaddr, unsigned int, unsigned int): Assertion `size == 4' failed. ==27332== ERROR: libFuzzer: deadly signal #8 0x7f0ffa1f5565 in __GI___assert_fail (/lib64/libc.so.6+0x30565) #9 0x562fe3c9c83f in bcm2835_dma_read (qemu-fuzz-arm+0x1d2e83f) #10 0x562fe3c9f81b in bcm2835_dma15_read (qemu-fuzz-arm+0x1d3181b) #11 0x562fe307d265 in memory_region_read_accessor (qemu-fuzz-arm+0x110f265) #12 0x562fe304ecb3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e0cb3) #13 0x562fe304cb37 in memory_region_dispatch_read1 (qemu-fuzz-arm+0x10deb37) #14 0x562fe304c553 in memory_region_dispatch_read (qemu-fuzz-arm+0x10de553) #15 0x562fe2e7fd1d in flatview_read_continue (qemu-fuzz-arm+0xf11d1d) #16 0x562fe2e8147d in flatview_read (qemu-fuzz-arm+0xf1347d) #17 0x562fe2e80fd4 in address_space_read_full (qemu-fuzz-arm+0xf12fd4) #18 0x562fe2e820fa in address_space_rw (qemu-fuzz-arm+0xf140fa) #19 0x562fe411e485 in dma_memory_rw_relaxed (qemu-fuzz-arm+0x21b0485) #20 0x562fe411deb5 in dma_memory_rw (qemu-fuzz-arm+0x21afeb5) #21 0x562fe411d837 in dma_memory_read (qemu-fuzz-arm+0x21af837) #22 0x562fe41190a6 in sdhci_sdma_transfer_multi_blocks (qemu-fuzz-arm+0x21ab0a6) #23 0x562fe41217c1 in sdhci_write (qemu-fuzz-arm+0x21b37c1) #24 0x562fe304f147 in memory_region_write_accessor (qemu-fuzz-arm+0x10e1147) #25 0x562fe304ecb3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e0cb3) #26 0x562fe304d853 in memory_region_dispatch_write (qemu-fuzz-arm+0x10df853) #27 0x562fe2e91e0b in flatview_write_continue (qemu-fuzz-arm+0xf23e0b) #28 0x562fe2e81d02 in flatview_write (qemu-fuzz-arm+0xf13d02) #29 0x562fe2e81834 in address_space_write (qemu-fuzz-arm+0xf13834) qemu-fuzz-arm: hw/dma/bcm2835_dma.c:200: void bcm2835_dma_write(BCM2835DMAState *, hwaddr, uint64_t, unsigned int, unsigned int): Assertion `size == 4' failed. ==16113== ERROR: libFuzzer: deadly signal #8 0x7fd823d3d565 in __GI___assert_fail (/lib64/libc.so.6+0x30565) #9 0x557a62b72ec3 in bcm2835_dma_write (qemu-fuzz-arm+0x1d2eec3) #10 0x557a62b725e8 in bcm2835_dma0_write (qemu-fuzz-arm+0x1d2e5e8) #11 0x557a61f25147 in memory_region_write_accessor (qemu-fuzz-arm+0x10e1147) #12 0x557a61f24cb3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e0cb3) #13 0x557a61f23853 in memory_region_dispatch_write (qemu-fuzz-arm+0x10df853) #14 0x557a61d67e0b in flatview_write_continue (qemu-fuzz-arm+0xf23e0b) #15 0x557a61d57d02 in flatview_write (qemu-fuzz-arm+0xf13d02) #16 0x557a61d57834 in address_space_write (qemu-fuzz-arm+0xf13834) #17 0x557a61d58054 in address_space_rw (qemu-fuzz-arm+0xf14054) #18 0x557a62ff4485 in dma_memory_rw_relaxed (qemu-fuzz-arm+0x21b0485) #19 0x557a62ff3eb5 in dma_memory_rw (qemu-fuzz-arm+0x21afeb5) #20 0x557a62ff379a in dma_memory_write (qemu-fuzz-arm+0x21af79a) #21 0x557a62fee9dc in sdhci_sdma_transfer_multi_blocks (qemu-fuzz-arm+0x21aa9dc) #22 0x557a62ff77c1 in sdhci_write (qemu-fuzz-arm+0x21b37c1) #23 0x557a61f25147 in memory_region_write_accessor (qemu-fuzz-arm+0x10e1147) #24 0x557a61f24cb3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e0cb3) #25 0x557a61f23853 in memory_region_dispatch_write (qemu-fuzz-arm+0x10df853) #26 0x557a61d67e0b in flatview_write_continue (qemu-fuzz-arm+0xf23e0b) #27 0x557a61d57d02 in flatview_write (qemu-fuzz-arm+0xf13d02) #28 0x557a61d57834 in address_space_write (qemu-fuzz-arm+0xf13834) ==5448==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000024380 at pc 0x55aac095e2cc bp 0x7fff9144ead0 sp 0x7fff9144e280 WRITE of size 4 at 0x619000024380 thread T0 #0 0x55aac095e2cb in __asan_memcpy (qemu-fuzz-arm+0xeb92cb) #1 0x55aac09de163 in stl_he_p (qemu-fuzz-arm+0xf39163) #2 0x55aac09b796f in stn_he_p (qemu-fuzz-arm+0xf1296f) #3 0x55aac09b6ec5 in flatview_read_continue (qemu-fuzz-arm+0xf11ec5) #4 0x55aac09b86dd in flatview_read (qemu-fuzz-arm+0xf136dd) #5 0x55aac09b8234 in address_space_read_full (qemu-fuzz-arm+0xf13234) #6 0x55aac09b935a in address_space_rw (qemu-fuzz-arm+0xf1435a) #7 0x55aac1c55b35 in dma_memory_rw_relaxed (qemu-fuzz-arm+0x21b0b35) #8 0x55aac1c55565 in dma_memory_rw (qemu-fuzz-arm+0x21b0565) #9 0x55aac1c54ee7 in dma_memory_read (qemu-fuzz-arm+0x21afee7) #10 0x55aac1c5074e in sdhci_sdma_transfer_multi_blocks (qemu-fuzz-arm+0x21ab74e) #11 0x55aac1c58e71 in sdhci_write (qemu-fuzz-arm+0x21b3e71) #12 0x55aac0b86417 in memory_region_write_accessor (qemu-fuzz-arm+0x10e1417) #13 0x55aac0b85f87 in access_with_adjusted_size (qemu-fuzz-arm+0x10e0f87) #14 0x55aac0b84ab3 in memory_region_dispatch_write (qemu-fuzz-arm+0x10dfab3) #15 0x55aac09c906b in flatview_write_continue (qemu-fuzz-arm+0xf2406b) #16 0x55aac09b8f62 in flatview_write (qemu-fuzz-arm+0xf13f62) #17 0x55aac09b8a94 in address_space_write (qemu-fuzz-arm+0xf13a94) Reported-by: Clang combined libFuzzer with AddressSanitizer Signed-off-by: Philippe Mathieu-Daudé <f4...@amsat.org> --- exec.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/exec.c b/exec.c index d3ec30f995..100c2754f2 100644 --- a/exec.c +++ b/exec.c @@ -3136,13 +3136,20 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, for (;;) { if (!memory_access_is_direct(mr, true)) { + /* I/O case */ + hwaddr l2; + release_lock |= prepare_mmio_access(mr); - l = memory_access_size(mr, l, addr1); + l2 = memory_access_size(mr, l, addr1); /* XXX: could force current_cpu to NULL to avoid potential bugs */ - val = ldn_he_p(buf, l); - result |= memory_region_dispatch_write(mr, addr1, val, - size_memop(l), attrs); + if (l <= l2) { + val = ldn_he_p(buf, l); + result |= memory_region_dispatch_write(mr, addr1, val, + size_memop(l), attrs); + } else { + result = MEMTX_ERROR; + } } else { /* RAM case */ ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false); @@ -3202,11 +3209,17 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, for (;;) { if (!memory_access_is_direct(mr, false)) { /* I/O case */ + hwaddr l2; + release_lock |= prepare_mmio_access(mr); - l = memory_access_size(mr, l, addr1); - result |= memory_region_dispatch_read(mr, addr1, &val, - size_memop(l), attrs); - stn_he_p(buf, l, val); + l2 = memory_access_size(mr, l, addr1); + if (l <= l2) { + result |= memory_region_dispatch_read(mr, addr1, &val, + size_memop(l), attrs); + stn_he_p(buf, l, val); + } else { + result = MEMTX_ERROR; + } } else { /* RAM case */ ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false); -- 2.21.3