On Fri, Jul 2, 2021 at 11:59 PM Philippe Mathieu-Daudé <f4...@amsat.org> wrote: > > OSS-Fuzz found sending illegal addresses when querying the write > protection bits triggers an assertion: > > qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): > Assertion `wpnum < sd->wpgrps_size' failed. > ==11578== ERROR: libFuzzer: deadly signal > #8 0x7ffff628e091 in __assert_fail > #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9 > #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38 > #11 0x5555588d777c in sd_do_command hw/sd/sd.c > #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16 > #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12 > #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9 > #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5 > > Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check > for multi block reads"), check the address range before sending > the status of the write protection bits. > > Include the qtest reproducer provided by Alexander Bulekov: > > $ make check-qtest-i386 > ... > Running test qtest-i386/fuzz-sdcard-test > qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < > sd->wpgrps_size' failed. > > Reported-by: OSS-Fuzz (Issue 29225) > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450 > Signed-off-by: Philippe Mathieu-Daudé <f4...@amsat.org> > --- > hw/sd/sd.c | 5 +++ > tests/qtest/fuzz-sdcard-test.c | 66 ++++++++++++++++++++++++++++++++++ > MAINTAINERS | 3 +- > tests/qtest/meson.build | 1 + > 4 files changed, 74 insertions(+), 1 deletion(-) > create mode 100644 tests/qtest/fuzz-sdcard-test.c >
Reviewed-by: Bin Meng <bmeng...@gmail.com>