Merge tag 'pull-request-2022-10-12' of https://gitlab.com/thuth/qemu into staging

* Rework of qtests to support hot plugging tests on q35
* New VNC qtest
* Fixes related to temporary file handling i

Merge tag 'pull-request-2022-10-12' of https://gitlab.com/thuth/qemu into staging

* Rework of qtests to support hot plugging tests on q35
* New VNC qtest
* Fixes related to temporary file handling in the tests
* Use signal() instead of sigaction() since the latter does not work on Windows
* Some other small clean-ups

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmNGz1URHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbXwxxAAoh9CeYKLyPFPe71XGsSWW4mQDkny+4CA
# AFBfcEchPSyOoTJwuSHS5cL27KkL1Wy7wTSlWdcQ2Z4LA8hexopfPtCVlizH8vQh
# hHVP5KLDY7WA7bsuRznrjUjXtjLL9mExuPm3QZ+YxH/3rNhISvq1GfC9Z5PQ/zNp
# GagCW+WiFyEYyhRHJnVVTJfZV0NCbJp9KCCJ6n/Rag80JRQiouGQsKLfRoRhvkGC
# 13dWq2NeDq9xE1k1ThUZdIpUxJO4cA+9bh6LzGOIcHX8akfkryh3NGCWuojX3XDF
# 2CRyyblfjMIp5HUcKNOrQzY1oGRn8y5537ycUkEsropSMdAccIqNwlcWO7whLEGn
# 7nbogrPt8Orezytl5ZM3WopWlge5KA2vxOUURx487LnZC2/g7l2unrCDv0c3PHDb
# U2fD5do7ZtPOl9Uz8QkYPo5CzEDnKPmPv1txOMBRcBZsvmXPZMxRWwsYavB/RloG
# nI9IvG3ZW6ivKwoPPceJberL8Ndq+pqn7y4CNNAAunHSjJ2H0YS1m1F/HfVWKJYJ
# uStXy3IZ5Qo8E+IRbPYyM68yBgrnaShuAvTSax8tWjhHOR8HetrzPABMrWylCrdo
# gaeSCEZmqf2zIYHQ2q8c7U/YrHgFNHlLz9yCyM6rZtU9dOAe52PG2TlRQomlGP76
# NKnti3RJWG4=
# =4f+b
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 12 Oct 2022 10:29:41 EDT
# gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg: issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg: aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5

* tag 'pull-request-2022-10-12' of https://gitlab.com/thuth/qemu:
tests/unit/test-image-locking: Fix handling of temporary files
tests/qtest: libqtest: Install signal handler via signal()
tests/qtest: migration-test: Avoid using hardcoded /tmp
qtest: start a VNC test
tests/avocado: Add missing require_netdev('user') checks
tests/x86: Add 'q35' machine type to ivshmem-test
tests/x86: Add 'q35' machine type to drive_del-test
tests/x86: replace snprint() by g_strdup_printf() in drive_del-test
tests/x86: Fix comment typo in drive_del-test
tests/x86: Add 'q35' machine type to hotplug hd-geo-test
tests/x86: Add 'q35' machine type to override-tests in hd-geo-test
tests/x86: Refactor hot unplug hd-geo-test
tests/x86: Add subtest with 'q35' machine type to device-plug-test
tests/x86: add helper qtest_qmp_device_del_send()
tests/migration: remove the unused local variable
qtest: "-display none" is set in qtest_init()

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

show more ...

qtest: "-display none" is set in qtest_init()

So we don't need to set anywhere else.

Signed-off-by: Juan Quintela <quintela@redhat.com>
[thuth: Drop changes in tests/qtest/fuzz/ since the fuzzers s

qtest: "-display none" is set in qtest_init()

So we don't need to set anywhere else.

Signed-off-by: Juan Quintela <quintela@redhat.com>
[thuth: Drop changes in tests/qtest/fuzz/ since the fuzzers still need this]
Message-Id: <20220902165126.1482-2-quintela@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

show more ...

Merge tag 'misc-pull-request' of gitlab.com:marcandre.lureau/qemu into staging

Misc cleanups

# -----BEGIN PGP SIGNATURE-----
#
# iQJQBAABCAA6FiEEh6m9kz+HxgbSdvYt2ujhCXWWnOUFAmJxKjQcHG1hcmNhbmRy
# Z

Merge tag 'misc-pull-request' of gitlab.com:marcandre.lureau/qemu into staging

Misc cleanups

# -----BEGIN PGP SIGNATURE-----
#
# iQJQBAABCAA6FiEEh6m9kz+HxgbSdvYt2ujhCXWWnOUFAmJxKjQcHG1hcmNhbmRy
# ZS5sdXJlYXVAcmVkaGF0LmNvbQAKCRDa6OEJdZac5ZD5D/9f5CGbNsrl7kB1t6iS
# 1ABr5AeW0g9sidMCsQAe9xhWl6+R2SO/z0bBue+mv1ltG0RSZ1ZXS4FyJFBAhFfR
# fZ6J7bvdnawIKOxu5T9NY/UvthdRV0eC8CTo0q6GAJo9MHyIGvo1TOoM2Ld9QpfB
# 2uup+9fw3Clh0HSHwV9LSL7v2nucFef4A5P1CJ6d1KHnnej0hfug5o+Aiy+wDLA2
# 5RnTm44dqm9lzTgt/x4MqE6Us7WWQukjlLny8/gyurNTR+6fxLqjsHZG+6woQETu
# Gg6angsOoAFyciFZ564rjGv80qQuccMVMjtrKvBZz/cmwUUz+Lb4tU3tUPBqomGX
# wiofVtL4qcXs94OHWX654UX/iXgkRqC3r+aC0xT37cL4svC8N69BhilxI5+gIGxZ
# ZjaQhHx/0e+Ut3c+xrjYHbywQMd9L9AhRyYSMz5BNeLg9+yUiMR+hvGVR/SubLN1
# iiLS07CRgdOKdP6ts7CC7txAgDw4h3cPN5Hz+gqXMJTcnBKpXpnF1lL+Zd/J5++N
# 8qMVQH5O4REQRISsbKaOPW8PCiPESsUaHb/mWkre7iYLgkEdNMVQvRcnfx14ejbk
# /KKXolrG1huJXGQGnYvgJArHMBBL+ieIYiT6alKFNRNECLdioL46FuSOlirHVCGe
# StU22Vsl61M8ifDOPdolK55X5Q==
# =npwd
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 03 May 2022 06:12:20 AM PDT
# gpg: using RSA key 87A9BD933F87C606D276F62DDAE8E10975969CE5
# gpg: issuer "marcandre.lureau@redhat.com"
# gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>" [full]
# gpg: aka "Marc-André Lureau <marcandre.lureau@gmail.com>" [full]

* tag 'misc-pull-request' of gitlab.com:marcandre.lureau/qemu: (23 commits)
util: rename qemu_*block() socket functions
tests: replace qemu_set_nonblock()
net: replace qemu_set_nonblock()
ui: replace qemu_set_nonblock()
hw: replace qemu_set_nonblock()
qga: replace qemu_set_nonblock()
io: replace qemu_set{_non}block()
chardev: replace qemu_set_nonblock()
io: make qio_channel_command_new_pid() static
Replace fcntl(O_NONBLOCK) with g_unix_set_fd_nonblocking()
io: replace pipe() with g_unix_open_pipe(CLOEXEC)
virtiofsd: replace pipe() with g_unix_open_pipe(CLOEXEC)
os-posix: replace pipe()+cloexec with g_unix_open_pipe(CLOEXEC)
tests: replace pipe() with g_unix_open_pipe(CLOEXEC)
qga: replace pipe() with g_unix_open_pipe(CLOEXEC)
util: replace pipe()+cloexec with g_unix_open_pipe()
Replace qemu_pipe() with g_unix_open_pipe()
block: move fcntl_setfl()
Use g_unix_set_fd_nonblocking()
libqtest: split QMP part in libqmp
...

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

tests: move libqtest.h back under qtest/

Since commit a2ce7dbd917 ("meson: convert tests/qtest to meson"),
libqtest.h is under libqos/ directory, while libqtest.c is still in
qtest/. Move back to it

tests: move libqtest.h back under qtest/

Since commit a2ce7dbd917 ("meson: convert tests/qtest to meson"),
libqtest.h is under libqos/ directory, while libqtest.c is still in
qtest/. Move back to its original location to avoid mixing with libqos/.

Suggested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

show more ...

Merge tag 'pull-request-2022-04-20' of https://gitlab.com/thuth/qemu into staging

* Drop perl-Test-Harness from the CI containers / VMs
* Some qtest fixes
* Convert ccid doc to restructuredText
* Ad

Merge tag 'pull-request-2022-04-20' of https://gitlab.com/thuth/qemu into staging

* Drop perl-Test-Harness from the CI containers / VMs
* Some qtest fixes
* Convert ccid doc to restructuredText
* Add compat machines for 7.1
* Allow overwrite smp and memory size in avocado tests

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmJf32MRHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbXEHQ//e4S4rlETwKwIQR6SqaOGl9wQr8yPX80r
# V6UFMt+MhTdtItBDa+cDrWY7xkBU3DpIPcfDRfg4P7F/WB5LFaXfYPQHIB28cmkQ
# f5nX4dIVfas/wS+2zk8uvaZEsuv0QiVCKldF2+Z49rE/1UMDfJkHJI+c3MvJToe7
# CPuzR9SL7wfb3gFV5YrDqyZFRtpUurNhQ3j7sfmh+9P+9QVZg118pDI/lE2WIIBT
# HwrB0/keRdgepEv/n+6bwIhf+XRPnKyK8ETRo5vaVaj5BxKDHDVaevNYABp1kBB5
# udyCrEtS4KjPmyNgsMc1ZnIdG2R2pGyRPPYvVUXVpODkAQFoprjTS4yc5Gauqeuj
# EtrDJDnV+EFtZZlnd2T4Uj+ZxTR9suXWF+kJU8R7vXX5Dffu7C7tAw88FqQoG1GR
# mlhtN4fng2PJ/wEZUc+OESVjLUW/3H8yA6rRsbD21gMFaPVxrxc5iXrJoPEWoz1q
# BPbc+1v+lf3PgIDTMokogV0HFaxl8Xoq7T1TaXhQHEbEchfPib55VAHnN7rXKJgs
# eQt7FBqRTCZdFgRnKNZ71NMGdW2suHRk2lpabGPcuGb/bxyJWc6lcdOM8uEMDUlq
# vzAZwbXx3mlGArx7jaGERTrColCgMa0WLbQZ54eP1qCJnqUbzadaIQxmlMaPFWgm
# 2imKnvET5PM=
# =vsLu
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 20 Apr 2022 03:24:35 AM PDT
# gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg: issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [undefined]
# gpg: aka "Thomas Huth <thuth@redhat.com>" [undefined]
# gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# gpg: aka "Thomas Huth <huth@tuxfamily.org>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5

* tag 'pull-request-2022-04-20' of https://gitlab.com/thuth/qemu:
tests/avocado: Allow overwrite smp and memory size command line options
hw: Add compat machines for 7.1
docs/ccid: convert to restructuredText
tests/qtest: properly initialise the vring used idx
tests/qtest: Move the fuzz tests to x86 only
tests/qtest: Enable more tests for the "mipsel" target
tests: Drop perl-Test-Harness from the CI containers / VMs

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

tests/qtest: Move the fuzz tests to x86 only

The fuzz tests are currently scheduled for all targets, but their setup
code limits the run to "i386", so that these tests always show "SKIP"
on other ta

tests/qtest: Move the fuzz tests to x86 only

The fuzz tests are currently scheduled for all targets, but their setup
code limits the run to "i386", so that these tests always show "SKIP"
on other targets. Move it to the right x86 list in meson.build, then
we can drop the architecture check during runtime, too.

Message-Id: <20220414130127.719528-1-thuth@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

show more ...

Merge tag 'pull-request-2022-03-21' of https://gitlab.com/thuth/qemu into staging

* Fix stack-overflow due to recursive DMA in intel-hda (CVE-2021-3611)
* Fix heap overflow due to recursive DMA in s

Merge tag 'pull-request-2022-03-21' of https://gitlab.com/thuth/qemu into staging

* Fix stack-overflow due to recursive DMA in intel-hda (CVE-2021-3611)
* Fix heap overflow due to recursive DMA in sdhci code

# gpg: Signature made Mon 21 Mar 2022 16:14:36 GMT
# gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg: issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg: aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5

* tag 'pull-request-2022-03-21' of https://gitlab.com/thuth/qemu:
tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225)
hw/sd/sdhci: Prohibit DMA accesses to devices
hw/sd/sdhci: Honor failed DMA transactions
tests/qtest/intel-hda-test: Add reproducer for issue #542
hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO devices)
hw/audio/intel-hda: Do not ignore DMA overrun errors
softmmu/physmem: Introduce MemTxAttrs::memory field and MEMTX_ACCESS_ERROR
softmmu/physmem: Simplify flatview_write and address_space_access_valid

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225)

Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/451. Without
the p

tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225)

Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/451. Without
the previous commit, we get:

$ make check-qtest-i386
...
Running test qtest-i386/fuzz-sdcard-test
==447470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500002a080 at pc 0x564c71766d48 bp 0x7ffc126c62b0 sp 0x7ffc126c62a8
READ of size 1 at 0x61500002a080 thread T0
#0 0x564c71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
#1 0x564c7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
#2 0x564c721b937b in memory_region_read_accessor softmmu/memory.c:440:11
#3 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
#4 0x564c7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
#5 0x564c7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
#6 0x564c7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
#7 0x564c7212f958 in flatview_read softmmu/physmem.c:2921:12
#8 0x564c7212f418 in address_space_read_full softmmu/physmem.c:2934:18
#9 0x564c721305a9 in address_space_rw softmmu/physmem.c:2962:16
#10 0x564c7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
#11 0x564c7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
#12 0x564c71759684 in dma_memory_read include/sysemu/dma.h:152:12
#13 0x564c7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
#14 0x564c7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
#15 0x564c7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
#16 0x564c717629ee in sdhci_write hw/sd/sdhci.c:1212:9
#17 0x564c72172513 in memory_region_write_accessor softmmu/memory.c:492:5
#18 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
#19 0x564c72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
#20 0x564c721419ee in flatview_write_continue softmmu/physmem.c:2812:23
#21 0x564c721301eb in flatview_write softmmu/physmem.c:2854:12
#22 0x564c7212fca8 in address_space_write softmmu/physmem.c:2950:18
#23 0x564c721d9a53 in qtest_process_command softmmu/qtest.c:727:9

0x61500002a080 is located 0 bytes to the right of 512-byte region [0x615000029e80,0x61500002a080)
allocated by thread T0 here:
#0 0x564c708e1737 in __interceptor_calloc (qemu-system-i386+0x1e6a737)
#1 0x7ff05567b5e0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5a5e0)
#2 0x564c71774adb in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5

SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:474:18 in sdhci_read_dataport
Shadow bytes around the buggy address:
0x0c2a7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fffd410:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffd420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Heap left redzone: fa
Freed heap region: fd
==447470==ABORTING
Broken pipe
ERROR qtest-i386/fuzz-sdcard-test - too few tests run (expected 3, got 2)

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211215205656.488940-4-philmd@redhat.com>
[thuth: Replaced "-m 4G" with "-m 512M"]
Signed-off-by: Thomas Huth <thuth@redhat.com>

show more ...

Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210803' into staging

SD/MMC patches queue

- sdcard: Fix assertion accessing out-of-range addresses
with SEND_WRITE_PROT (CMD30)

# gpg: S

Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210803' into staging

SD/MMC patches queue

- sdcard: Fix assertion accessing out-of-range addresses
with SEND_WRITE_PROT (CMD30)

# gpg: Signature made Tue 03 Aug 2021 18:38:03 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE

* remotes/philmd/tags/sdmmc-20210803:
hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30
hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30

OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers the assertion added in commit 84816f

hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30

OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers the assertion added in commit 84816fb63e5
("hw/sd/sdcard: Assert if accessing an illegal group"):

qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t):
Assertion `wpnum < sd->wpgrps_size' failed.
#3 0x7f62a8b22c91 in __assert_fail
#4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9
#5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38
#6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17
#7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16
#8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12
#9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9
#10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5

It is legal for the CMD30 to query for out-of-range addresses.
Such invalid addresses are simply ignored in the response (write
protection bits set to 0).

In commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal
group") we misplaced the assertion *before* we test the address is
in range. Move it *after*.

Include the qtest reproducer provided by Alexander Bulekov:

$ make check-qtest-i386
...
Running test qtest-i386/fuzz-sdcard-test
qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.

Cc: qemu-stable@nongnu.org
Reported-by: OSS-Fuzz (Issue 29225)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210802235524.3417739-3-f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>

show more ...

Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210712' into staging

SD/MMC patches queue

- sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)

# gpg: Signature made Mon 12

Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210712' into staging

SD/MMC patches queue

- sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)

# gpg: Signature made Mon 12 Jul 2021 11:28:13 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE

* remotes/philmd/tags/sdmmc-20210712:
hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)
hw/sd/sdcard: Extract address_in_range() helper, log invalid accesses
hw/sd/sdcard: When card is in wrong state, log which state it is

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)

OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers an assertion:

qemu-fuzz-i386: hw/s

hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)

OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers an assertion:

qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed.
==11578== ERROR: libFuzzer: deadly signal
#8 0x7ffff628e091 in __assert_fail
#9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9
#10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38
#11 0x5555588d777c in sd_do_command hw/sd/sd.c
#12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16
#13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12
#14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9
#15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5

Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check
for multi block reads"), check the address range before sending
the status of the write protection bits.

Include the qtest reproducer provided by Alexander Bulekov:

$ make check-qtest-i386
...
Running test qtest-i386/fuzz-sdcard-test
qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.

Reported-by: OSS-Fuzz (Issue 29225)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210702155900.148665-4-f4bug@amsat.org>

show more ...