qemu/hw at 799f7f0104a3f2e0fea06ee7b31a1c293cd7c948 - qemu

History

Philippe Mathieu-Daudé 799f7f0104 hw/sd/sdhci: Prohibit DMA accesses to devices The issue reported by OSS-Fuzz produces the following backtrace: ==447470==ERROR: AddressSanitizer: heap-buffer-overflow READ of size 1 at 0x61500002a080 thread T0 #0 0x71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18 #1 0x7175f139 in sdhci_read hw/sd/sdhci.c:1022:19 #2 0x721b937b in memory_region_read_accessor softmmu/memory.c:440:11 #3 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 #4 0x7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16 #5 0x7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9 #6 0x7212db5d in flatview_read_continue softmmu/physmem.c:2879:23 #7 0x7212f958 in flatview_read softmmu/physmem.c:2921:12 #8 0x7212f418 in address_space_read_full softmmu/physmem.c:2934:18 #9 0x721305a9 in address_space_rw softmmu/physmem.c:2962:16 #10 0x7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #11 0x7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12 #12 0x71759684 in dma_memory_read include/sysemu/dma.h:152:12 #13 0x7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27 #14 0x7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13 #15 0x7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9 #16 0x717629ee in sdhci_write hw/sd/sdhci.c:1212:9 #17 0x72172513 in memory_region_write_accessor softmmu/memory.c:492:5 #18 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 #19 0x72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16 #20 0x721419ee in flatview_write_continue softmmu/physmem.c:2812:23 #21 0x721301eb in flatview_write softmmu/physmem.c:2854:12 #22 0x7212fca8 in address_space_write softmmu/physmem.c:2950:18 #23 0x721d9a53 in qtest_process_command softmmu/qtest.c:727:9 A DMA descriptor is previously filled in RAM. An I/O access to the device (frames #22 to #16) start the DMA engine (frame #13). The engine fetch the descriptor and execute the request, which itself accesses the SDHCI I/O registers (frame #1 and #0), triggering a re-entrancy issue. Fix by prohibit transactions from the DMA to devices. The DMA engine is thus restricted to memories. Reported-by: OSS-Fuzz (Issue 36391) Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/451 Message-Id: <20211215205656.488940-3-philmd@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>		2022-03-21 10:25:21 +01:00
..
9pfs	9pfs/coth.h: drop Doxygen format on v9fs_co_run_in_worker()	2022-03-07 11:49:31 +01:00
acpi	hw/acpi: add indication for i8042 in IA-PC boot flags of the FADT table	2022-03-06 16:06:16 -05:00
adc	hw/adc: Add basic Aspeed ADC model	2021-10-12 08:20:08 +02:00
alpha	hw/alpha: Provide a PCI-ISA bridge device node	2021-06-28 07:27:32 -07:00
arm	hw/arm/xlnx-zynqmp: Connect the ZynqMP APU Control	2022-03-18 11:31:20 +00:00
audio	hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO devices)	2022-03-21 10:24:51 +01:00
avr	hw/avr: Realize AVRCPU qdev object using qdev_realize()	2021-12-17 10:43:24 +01:00
block	aspeed queue:	2022-03-09 18:06:40 +00:00
char	hw/isa: Inline and remove one-line isa_init_irq()	2022-03-08 19:38:17 +01:00
core	clock-vmstate: Add missing END_OF_LIST	2022-03-02 18:12:40 +00:00
cpu	cpu/core: Fix "help" of CPU core device types	2021-04-09 16:05:16 -04:00
cris	Do not include exec/address-spaces.h if it's not really necessary	2021-05-02 17:24:51 +02:00
display	hw/display/vga: Report a proper error when adding a 2nd ISA VGA	2022-03-18 10:15:57 +01:00
dma	hw/dma/xlnx_csu_dma: Set TYPE_XLNX_CSU_DMA class_size	2022-03-18 10:55:15 +00:00
gpio	hw: aspeed_gpio: Cleanup stray semicolon after switch	2022-03-08 09:18:11 +01:00
hppa	hppa: Add support for an emulated TOC/NMI button.	2022-02-02 18:46:42 +01:00
hyperv	dma: Let dma_memory_map() take MemTxAttrs argument	2021-12-30 17:16:32 +01:00
i2c	hw/i2c: Added linear mode translation for pmbus devices	2022-03-08 18:46:48 +01:00
i386	hw/i386/acpi-build: Avoid 'sun' identifier	2022-03-18 11:32:13 +00:00
ide	MIPS patches queue	2022-03-09 09:13:39 +00:00
input	hw/isa: Inline and remove one-line isa_init_irq()	2022-03-08 19:38:17 +01:00
intc	hw/intc: Rename CONFIG_ARM_GIC_TCG into CONFIG_ARM_GICV3_TCG	2022-03-18 10:55:15 +00:00
ipack	qbus: Rename qbus_create_inplace() to qbus_init()	2021-09-30 13:42:10 +01:00
ipmi	hw/isa: Inline and remove one-line isa_init_irq()	2022-03-08 19:38:17 +01:00
isa	hw/isa: Inline and remove one-line isa_init_irq()	2022-03-08 19:38:17 +01:00
m68k	mos6522: implement edge-triggering for CA1/2 and CB1/2 control line IRQs	2022-03-09 09:28:28 +00:00
mem	Mark remaining global TypeInfo instances as const	2022-02-21 13:30:20 +00:00
microblaze	hw/microblaze: Replace drive_get_next() by drive_get()	2021-12-15 08:38:16 +01:00
mips	hw/mips/gt64xxx_pci: Resolve gt64120_register()	2022-03-08 19:38:13 +01:00
misc	hw/misc: Add a model of the Xilinx ZynqMP APU Control	2022-03-18 11:31:20 +00:00
net	virtio-net: fix map leaking on error during receive	2022-03-15 13:57:44 +08:00
nios2	Do not include cpu.h if it's not really necessary	2021-05-02 17:24:51 +02:00
nubus	qbus: Rename qbus_create_inplace() to qbus_init()	2021-09-30 13:42:10 +01:00
nvme	hw/nvme: 64-bit pi support	2022-03-03 09:30:21 +01:00
nvram	hw/nvram: at24 return 0xff if 1 byte address	2022-03-14 14:48:35 +01:00
openrisc	hw/openrisc/openrisc_sim: Add support for initrd loading	2022-02-26 10:39:36 +09:00
pci	hw/pci/pci.c: Fix typos of "Firewire", and of "controller" on same line	2022-03-18 13:54:19 +01:00
pci-bridge	pci: expose TYPE_XIO3130_DOWNSTREAM name	2022-03-06 05:08:23 -05:00
pci-host	ppc/pnv: Remove user-created PHB{3,4,5} devices	2022-03-14 15:57:17 +01:00
pcmcia	hw/pcmcia: Do not register PCMCIA type if not required	2021-05-02 17:24:50 +02:00
ppc	ppc/pnv: Remove user-created PHB{3,4,5} devices	2022-03-14 15:57:17 +01:00
rdma	hw/dma: Use dma_addr_t type definition when relevant	2022-01-18 12:56:29 +01:00
remote	hw/remote: Add missing include	2022-02-21 10:18:06 +01:00
riscv	hw: riscv: opentitan: fixup SPI addresses	2022-03-03 13:14:50 +10:00
rtc	hw/isa: Inline and remove one-line isa_init_irq()	2022-03-08 19:38:17 +01:00
rx	hw/rx/rx-gdbsim: Do not accept invalid memory size	2021-05-03 10:07:41 +02:00
s390x	s390x/cpumodel: Bump up QEMU model to a stripped-down IBM z15 GA1	2022-02-28 11:29:15 +01:00
scsi	esp: recreate ESPState current_req after migration	2022-03-09 09:29:10 +00:00
sd	hw/sd/sdhci: Prohibit DMA accesses to devices	2022-03-21 10:25:21 +01:00
sensor	hw/sensor: add Renesas raa228000 device	2022-03-08 18:46:48 +01:00
sh4	hw/intc/sh_intc: Inline and drop sh_intc_source() function	2021-10-30 18:39:37 +02:00
smbios	hw/smbios: Add table 4 parameter, "processor-id"	2022-03-06 05:28:55 -05:00
sparc	sun4m: fix setting CPU id when more than one CPU is present	2021-09-08 11:09:45 +01:00
sparc64	hw: Replace trivial drive_get_next() by drive_get()	2021-12-15 08:38:16 +01:00
ssi	aspeed/smc: Fix error log	2022-03-08 09:18:11 +01:00
timer	hw/timer: fix a9gtimer vmstate	2022-02-21 13:30:21 +00:00
tpm	MIPS patches queue	2022-03-09 09:13:39 +00:00
tricore	hw/tricore: fix inclusion of tricore_testboard	2021-07-20 20:10:21 +02:00
usb	hw/usb/redirect.c: Stop using qemu_oom_check()	2022-03-04 11:20:16 +01:00
vfio	kvm/msi: do explicit commit when adding msi routes	2022-03-15 11:26:20 +01:00
virtio	virtio/virtio-balloon: Prefer Object* over void* parameter	2022-03-18 13:57:50 +01:00
watchdog	watchdog: remove select_watchdog_action	2021-11-02 15:57:27 +01:00
xen	aio-posix: split poll check from ready handler	2022-01-12 17:09:39 +00:00
xenpv	meson: convert hw/arch*	2020-08-21 06:30:33 -04:00
xtensa	Do not include exec/address-spaces.h if it's not really necessary	2021-05-02 17:24:51 +02:00
Kconfig	hw/arm: xlnx-zcu102: Add Xilinx eFUSE device	2021-09-30 13:42:10 +01:00
meson.build	sensor: Move hardware sensors from misc to a sensor directory	2021-06-17 07:10:32 -05:00