On Wed, 28 Jul 2021 at 19:19, Philippe Mathieu-Daudé <f4...@amsat.org> wrote:
>
> OSS-Fuzz found sending illegal addresses when querying the write
> protection bits triggers the assertion added in commit 84816fb63e5
> ("hw/sd/sdcard: Assert if accessing an illegal group"):
>
> qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t
> sd_wpbits(SDState *, uint64_t):
> Assertion `wpnum < sd->wpgrps_size' failed.
> #3 0x7f62a8b22c91 in __assert_fail
> #4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9
> #5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38
> #6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17
> #7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16
> #8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12
> #9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9
> #10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5
>
> It is legal for the CMD30 to query for out-of-range addresses.
> Such invalid addresses are simply ignored in the response (write
> protection bits set to 0).
>
> Note, we had an off-by-one in the wpgrps_size check since commit
> a1bb27b1e98. Since we have a total of 'wpgrps_size' bits, the latest
> valid group bit is 'wpgrps_size - 1'.
The commit message says "wpgrps_size - 1" is valid...
> @@ -820,8 +820,8 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
>
> wpnum = sd_addr_to_wpnum(addr);
>
> - for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
> - assert(wpnum < sd->wpgrps_size);
> + for (i = 0; i < 32 && wpnum < sd->wpgrps_size - 1;
...but the code change makes the loop terminate when
wpnum == wpgrps_size - 1, so we don't execute the loop
body for wpgrps_size -1.
Which is correct ?
> + i++, wpnum++, addr += WPGROUP_SIZE) {
thanks
-- PMM
