From patchwork Wed Dec 15 20:56:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12679409 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 60BBBC433F5 for ; Wed, 15 Dec 2021 20:58:45 +0000 (UTC) Received: from localhost ([::1]:46906 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mxbMK-0003sm-Iu for qemu-devel@archiver.kernel.org; Wed, 15 Dec 2021 15:58:44 -0500 Received: from eggs.gnu.org ([209.51.188.92]:38694) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mxbKq-0000rV-4b for qemu-devel@nongnu.org; Wed, 15 Dec 2021 15:57:12 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:32592) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mxbKo-000585-4k for qemu-devel@nongnu.org; Wed, 15 Dec 2021 15:57:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639601829; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=igvxfb/aYusWeyarBvd8wYyevdEAGBlY9RFgRJHtZK8=; b=Gc3i0WSlZrq1g8bbbzdtXPuDBGAuijWnWlX7MMulDqQX103WV4UIiQV30XGjxO3Cq625H4 SYsoRUbGtVKxmqZsxjjHcwXbkqIh3pc9/IXT0GEXcOHkOTPIK3vIGdjlzSoDsc4prtBWYH k8QIVZaqigWn+9jzAtOH38b52TjJScw= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-121-dhxh1P-lO6GYxgecKf_qoA-1; Wed, 15 Dec 2021 15:57:08 -0500 X-MC-Unique: dhxh1P-lO6GYxgecKf_qoA-1 Received: by mail-wm1-f69.google.com with SMTP id l34-20020a05600c1d2200b00344d34754e4so166151wms.7 for ; Wed, 15 Dec 2021 12:57:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=g1QZaUX7yV4EgKglh08VNobzVezCGWyGjEtpVWTYYRc=; b=5pePjJOHWcDW43JpVeM9DCZLUfXeRNAGXu3mAlqxrh0g2C74dOGMEvv0zFx1XK+tuP JUSjU40d+IHo80e1cVCqe0+z92mGH5uZ2Izpn0zNmTMP2uLeMUbpSXjRu3sp+QgPpNuD z6v720RRq87kSMISoqlP/Esw3oe/8a4vbflS8065lpL7XhHmnElfjn535lauFedYQIrb Oy/fqh17VT0ZpZdtUVcUqlU3XIfJtDZvIrR9UKXu2wDyCmJQyQrCoPKH1+JZLIHFFC4c 5nNMOEGARu980m9XAJnxMIxj+ADRX7Xs9XBrzY0PW1OWSAnELCCbw49NaONt5ForNKbS om3A== X-Gm-Message-State: AOAM533BwwVCfv6VpYrSCncYsUvMrOvFT+vsj04fZMx2ao45rfaQ5lau PYbvlafKhDmo/xFDWmjplt1HsD4VmyuFQKg1D6Cfd0vn2hgWOIC7/rGdyzsW74v0Jt7t3RgqpvA 6sC24t9R9Z9loFu4EPDgUoW5T66p/KIjmuGPVCUyP7IgHxfRzPgyg9f6GLf8EOlz5 X-Received: by 2002:a1c:4e04:: with SMTP id g4mr1893415wmh.15.1639601825960; Wed, 15 Dec 2021 12:57:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJxMFJlnmEm+zqeUY/edpzf/3cWhZBpWGq7FHu88ens9qn20xgiFSI5mfrL6ILzSl4a1S3/3Bw== X-Received: by 2002:a1c:4e04:: with SMTP id g4mr1893375wmh.15.1639601825698; Wed, 15 Dec 2021 12:57:05 -0800 (PST) Received: from localhost.localdomain (174.red-83-50-185.dynamicip.rima-tde.net. [83.50.185.174]) by smtp.gmail.com with ESMTPSA id u12sm2927470wrf.60.2021.12.15.12.57.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Dec 2021 12:57:05 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH 0/3] hw/sd/sdhci: Fix DMA re-entrancy issue Date: Wed, 15 Dec 2021 21:56:53 +0100 Message-Id: <20211215205656.488940-1-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.719, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Peter Maydell , Thomas Huth , qemu-block@nongnu.org, David Hildenbrand , Jason Wang , Bin Meng , Li Qiang , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Peter Xu , Qiuhao Li , Darren Kenny , Bandan Das , Gerd Hoffmann , Stefan Hajnoczi , "Edgar E . Iglesias" , Alexander Bulekov , Paolo Bonzini , Mauro Matteo Cascella , =?utf-8?q?Philippe_Mathieu-Dau?= =?utf-8?q?d=C3=A9?= Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Hi, This series is an attempt to fix the DMA re-entrancy problem on the SDHCI device. OSS-Fuzz found it and Alexander generated a helpful reproducer. By setting the MemTxAttrs::memory bit before doing DMA transactions, the flatview API will return MEMTX_BUS_ERROR if the transaction targets a non-memory (a device), which is usually how DMA-reentrancy bugs are exploited. On real hardware, the checks are on the interconnect bus, not in the SDHCI block. However QEMU blocks aren't modelled that way. Using the flatview API seems (to me) the simplest and closer to hardware, it is a generic API and we can use it to trace bus transactions on all blocks. Note this series is simply one example to fix the generic issues. The important changes are in the previous series: https://lore.kernel.org/qemu-devel/20211215182421.418374-1-philmd@redhat.com/ Based-on: <20211215182421.418374-1-philmd@redhat.com> "physmem: Have flatview API check bus permission from MemTxAttrs" Cc: Mauro Matteo Cascella Cc: Qiuhao Li Cc: Peter Xu Cc: Jason Wang Cc: David Hildenbrand Cc: Gerd Hoffmann Cc: Peter Maydell Cc: Li Qiang Cc: Thomas Huth Cc: Laurent Vivier Cc: Bandan Das Cc: Edgar E. Iglesias Cc: Darren Kenny Cc: Bin Meng Cc: Paolo Bonzini Cc: Alexander Bulekov Cc: Stefan Hajnoczi Philippe Mathieu-Daudé (3): hw/sd/sdhci: Honor failed DMA transactions hw/sd/sdhci: Prohibit DMA accesses to devices tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225) hw/sd/sdhci.c | 35 ++++++++++++---- tests/qtest/fuzz-sdcard-test.c | 76 ++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+), 9 deletions(-)