#
f15cfe41 |
| 02-Sep-2022 |
Juan Quintela <quintela@redhat.com> |
qtest: "-display none" is set in qtest_init()
So we don't need to set anywhere else.
Signed-off-by: Juan Quintela <quintela@redhat.com> [thuth: Drop changes in tests/qtest/fuzz/ since the fuzzers s
qtest: "-display none" is set in qtest_init()
So we don't need to set anywhere else.
Signed-off-by: Juan Quintela <quintela@redhat.com> [thuth: Drop changes in tests/qtest/fuzz/ since the fuzzers still need this] Message-Id: <20220902165126.1482-2-quintela@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
#
907b5105 |
| 30-Mar-2022 |
Marc-André Lureau <marcandre.lureau@redhat.com> |
tests: move libqtest.h back under qtest/
Since commit a2ce7dbd917 ("meson: convert tests/qtest to meson"), libqtest.h is under libqos/ directory, while libqtest.c is still in qtest/. Move back to it
tests: move libqtest.h back under qtest/
Since commit a2ce7dbd917 ("meson: convert tests/qtest to meson"), libqtest.h is under libqos/ directory, while libqtest.c is still in qtest/. Move back to its original location to avoid mixing with libqos/.
Suggested-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
show more ...
|
#
b911c30c |
| 14-Apr-2022 |
Thomas Huth <thuth@redhat.com> |
tests/qtest: Move the fuzz tests to x86 only
The fuzz tests are currently scheduled for all targets, but their setup code limits the run to "i386", so that these tests always show "SKIP" on other ta
tests/qtest: Move the fuzz tests to x86 only
The fuzz tests are currently scheduled for all targets, but their setup code limits the run to "i386", so that these tests always show "SKIP" on other targets. Move it to the right x86 list in meson.build, then we can drop the architecture check during runtime, too.
Message-Id: <20220414130127.719528-1-thuth@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
#
27801168 |
| 15-Dec-2021 |
Philippe Mathieu-Daudé <philmd@redhat.com> |
tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225)
Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/451. Without the p
tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225)
Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/451. Without the previous commit, we get:
$ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test ==447470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500002a080 at pc 0x564c71766d48 bp 0x7ffc126c62b0 sp 0x7ffc126c62a8 READ of size 1 at 0x61500002a080 thread T0 #0 0x564c71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18 #1 0x564c7175f139 in sdhci_read hw/sd/sdhci.c:1022:19 #2 0x564c721b937b in memory_region_read_accessor softmmu/memory.c:440:11 #3 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 #4 0x564c7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16 #5 0x564c7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9 #6 0x564c7212db5d in flatview_read_continue softmmu/physmem.c:2879:23 #7 0x564c7212f958 in flatview_read softmmu/physmem.c:2921:12 #8 0x564c7212f418 in address_space_read_full softmmu/physmem.c:2934:18 #9 0x564c721305a9 in address_space_rw softmmu/physmem.c:2962:16 #10 0x564c7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #11 0x564c7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12 #12 0x564c71759684 in dma_memory_read include/sysemu/dma.h:152:12 #13 0x564c7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27 #14 0x564c7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13 #15 0x564c7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9 #16 0x564c717629ee in sdhci_write hw/sd/sdhci.c:1212:9 #17 0x564c72172513 in memory_region_write_accessor softmmu/memory.c:492:5 #18 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 #19 0x564c72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16 #20 0x564c721419ee in flatview_write_continue softmmu/physmem.c:2812:23 #21 0x564c721301eb in flatview_write softmmu/physmem.c:2854:12 #22 0x564c7212fca8 in address_space_write softmmu/physmem.c:2950:18 #23 0x564c721d9a53 in qtest_process_command softmmu/qtest.c:727:9
0x61500002a080 is located 0 bytes to the right of 512-byte region [0x615000029e80,0x61500002a080) allocated by thread T0 here: #0 0x564c708e1737 in __interceptor_calloc (qemu-system-i386+0x1e6a737) #1 0x7ff05567b5e0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5a5e0) #2 0x564c71774adb in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5
SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:474:18 in sdhci_read_dataport Shadow bytes around the buggy address: 0x0c2a7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2a7fffd410:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffd420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Heap left redzone: fa Freed heap region: fd ==447470==ABORTING Broken pipe ERROR qtest-i386/fuzz-sdcard-test - too few tests run (expected 3, got 2)
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Acked-by: Thomas Huth <thuth@redhat.com> Message-Id: <20211215205656.488940-4-philmd@redhat.com> [thuth: Replaced "-m 4G" with "-m 512M"] Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
Revision tags: v6.2.0, v6.1.0 |
|
#
ca92f162 |
| 05-Aug-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2021-08-05' into staging QAPI patches patches for 2021-08-05 # gpg: Signature made Thu 05 Aug 2021 15:06:12 BST # gpg
Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2021-08-05' into staging QAPI patches patches for 2021-08-05 # gpg: Signature made Thu 05 Aug 2021 15:06:12 BST # gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653 # gpg: issuer "armbru@redhat.com" # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full] # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" [full] # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * remotes/armbru/tags/pull-qapi-2021-08-05: docs: convert writing-qmp-commands.txt to writing-qmp-commands.rst docs/qapi-code-gen: add cross-references docs/qapi-code-gen: Beautify formatting docs: convert qapi-code-gen.txt to ReST docs/devel/qapi-code-gen: Update examples to match current code Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
f17d0556 |
| 04-Aug-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging pc,pci: bugfixes Small bugfixes all over the place. Signed-off-by: Michael S. Tsirkin <mst@redhat.
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging pc,pci: bugfixes Small bugfixes all over the place. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Tue 03 Aug 2021 21:32:43 BST # gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469 # gpg: issuer "mst@redhat.com" # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full] # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" [full] # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: Drop _DSM 5 from expected DSDTs on ARM Revert "acpi/gpex: Inform os to keep firmware resource map" arm/acpi: allow DSDT changes acpi: x86: pcihp: add support hotplug on multifunction bridges hw/pcie-root-port: Fix hotplug for PCI devices requiring IO Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
700d82c9 |
| 04-Aug-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210803' into staging SD/MMC patches queue - sdcard: Fix assertion accessing out-of-range addresses with SEND_WRITE_PR
Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210803' into staging SD/MMC patches queue - sdcard: Fix assertion accessing out-of-range addresses with SEND_WRITE_PROT (CMD30) # gpg: Signature made Tue 03 Aug 2021 18:38:03 BST # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full] # Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE * remotes/philmd/tags/sdmmc-20210803: hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30 hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
4ac0b72b |
| 02-Aug-2021 |
Philippe Mathieu-Daudé <f4bug@amsat.org> |
hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30 OSS-Fuzz found sending illegal addresses when querying the write protection bits triggers the assertion added in c
hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30 OSS-Fuzz found sending illegal addresses when querying the write protection bits triggers the assertion added in commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group"): qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed. #3 0x7f62a8b22c91 in __assert_fail #4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9 #5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38 #6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17 #7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16 #8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12 #9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9 #10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5 It is legal for the CMD30 to query for out-of-range addresses. Such invalid addresses are simply ignored in the response (write protection bits set to 0). In commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group") we misplaced the assertion *before* we test the address is in range. Move it *after*. Include the qtest reproducer provided by Alexander Bulekov: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed. Cc: qemu-stable@nongnu.org Reported-by: OSS-Fuzz (Issue 29225) Suggested-by: Peter Maydell <peter.maydell@linaro.org> Fixes: 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210802235524.3417739-3-f4bug@amsat.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Tested-by: Alexander Bulekov <alxndr@bu.edu>
show more ...
|
#
1f966c7c |
| 14-Jul-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/mdroth/tags/qga-pull-2021-07-13-tag' into staging qemu-ga patch queue for soft-freeze * add support for Windows Server 2022 in get-osinfo comma
Merge remote-tracking branch 'remotes/mdroth/tags/qga-pull-2021-07-13-tag' into staging qemu-ga patch queue for soft-freeze * add support for Windows Server 2022 in get-osinfo command # gpg: Signature made Tue 13 Jul 2021 19:10:05 BST # gpg: using RSA key CEACC9E15534EBABB82D3FA03353C9CEF108B584 # gpg: Good signature from "Michael Roth <flukshun@gmail.com>" [full] # gpg: aka "Michael Roth <mdroth@utexas.edu>" [full] # gpg: aka "Michael Roth <mdroth@linux.vnet.ibm.com>" [full] # Primary key fingerprint: CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584 * remotes/mdroth/tags/qga-pull-2021-07-13-tag: qga-win: Add support of Windows Server 2022 in get-osinfo command Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
2a54fc45 |
| 13-Jul-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-6.1-pull-request' into staging Linux-user pull request 20210713 Update headers to linux v5.13 cleanup errno tar
Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-6.1-pull-request' into staging Linux-user pull request 20210713 Update headers to linux v5.13 cleanup errno target headers Fix race condition on fd translation table # gpg: Signature made Tue 13 Jul 2021 14:41:25 BST # gpg: using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C # gpg: issuer "laurent@vivier.eu" # gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full] # gpg: aka "Laurent Vivier <laurent@vivier.eu>" [full] # gpg: aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full] # Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F 5173 F30C 38BD 3F2F BE3C * remotes/vivier2/tags/linux-user-for-6.1-pull-request: linux-user: update syscall.tbl to Linux v5.13 linux-user, mips: update syscall-args-o32.c.inc to Linux v5.13 linux-user: update syscall_nr.h to Linux v5.13 fd-trans: Fix race condition on reallocation of the translation table. linux-user/syscall: Remove ERRNO_TABLE_SIZE check linux-user: Simplify host <-> target errno conversion using macros linux-user/mips: Move errno definitions to 'target_errno_defs.h' linux-user/hppa: Move errno definitions to 'target_errno_defs.h' linux-user/alpha: Move errno definitions to 'target_errno_defs.h' linux-user: Extract target errno to 'target_errno_defs.h' linux-user/sparc: Rename target_errno.h -> target_errno_defs.h linux-user/syscall: Fix RF-kill errno (typo in ERFKILL) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
c6502434 |
| 13-Jul-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/dg-gitlab/tags/ppc-for-6.1-20210713' into staging ppc patch queue 2021-07-13 I thought I'd sent the last PR before the 6.1 soft freeze, but
Merge remote-tracking branch 'remotes/dg-gitlab/tags/ppc-for-6.1-20210713' into staging ppc patch queue 2021-07-13 I thought I'd sent the last PR before the 6.1 soft freeze, but unfortunately I need one more. This last minute one puts in a SLOF update, along with a couple of bugfixes. # gpg: Signature made Tue 13 Jul 2021 03:07:20 BST # gpg: using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full] # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full] # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full] # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown] # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dg-gitlab/tags/ppc-for-6.1-20210713: mv64361: Remove extra break from a switch case pseries: Update SLOF firmware image ppc/pegasos2: Allow setprop in VOF Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
708f5019 |
| 13-Jul-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2021-07-09-v2' into staging nbd patches for 2021-07-09 - enhance 'qemu-img map --output=json' to make it easier to duplicat
Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2021-07-09-v2' into staging nbd patches for 2021-07-09 - enhance 'qemu-img map --output=json' to make it easier to duplicate backing chain allocation patterns - fix a race in the 'yank' QMP command in relation to NBD requests # gpg: Signature made Mon 12 Jul 2021 18:43:37 BST # gpg: using RSA key 71C2CC22B1C4602927D2F3AAA7A16B4A2527436A # gpg: Good signature from "Eric Blake <eblake@redhat.com>" [full] # gpg: aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>" [full] # gpg: aka "[jpeg image of size 6874]" [full] # Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A * remotes/ericb/tags/pull-nbd-2021-07-09-v2: nbd: register yank function earlier qemu-img: Reword 'qemu-img map --output=json' docs qemu-img: Make unallocated part of backing chain obvious in map iotests: Improve and rename test 309 to nbd-qemu-allocation Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
5e05c40c |
| 13-Jul-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/stefanha-gitlab/tags/tracing-pull-request' into staging Pull request # gpg: Signature made Mon 12 Jul 2021 17:49:46 BST # gpg:
Merge remote-tracking branch 'remotes/stefanha-gitlab/tags/tracing-pull-request' into staging Pull request # gpg: Signature made Mon 12 Jul 2021 17:49:46 BST # gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [full] # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" [full] # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha-gitlab/tags/tracing-pull-request: trace, lttng: require .pc files trace/simple: add st_init_group trace/simple: pass iter to st_write_event_mapping trace: add trace_event_iter_init_group trace: iter init tweaks qemu-trace-stap: changing SYSTEMTAP_TAPSET considered harmful. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
eca73713 |
| 12-Jul-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210712' into staging SD/MMC patches queue - sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) # gpg
Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210712' into staging SD/MMC patches queue - sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) # gpg: Signature made Mon 12 Jul 2021 11:28:13 BST # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full] # Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE * remotes/philmd/tags/sdmmc-20210712: hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) hw/sd/sdcard: Extract address_in_range() helper, log invalid accesses hw/sd/sdcard: When card is in wrong state, log which state it is Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
59b63d78 |
| 29-Jun-2021 |
Philippe Mathieu-Daudé <f4bug@amsat.org> |
hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) OSS-Fuzz found sending illegal addresses when querying the write protection bits triggers an assertion:
hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30) OSS-Fuzz found sending illegal addresses when querying the write protection bits triggers an assertion: qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed. ==11578== ERROR: libFuzzer: deadly signal #8 0x7ffff628e091 in __assert_fail #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9 #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38 #11 0x5555588d777c in sd_do_command hw/sd/sd.c #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16 #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12 #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9 #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5 Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check for multi block reads"), check the address range before sending the status of the write protection bits. Include the qtest reproducer provided by Alexander Bulekov: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed. Reported-by: OSS-Fuzz (Issue 29225) Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20210702155900.148665-4-f4bug@amsat.org>
show more ...
|