Skip to content

sdhci: out of bounds read on sd->sd_status

Hello,

This doesn't crash, since the OOB access still lands within the sd struct, however it is still UB..

Reproducer

export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -nodefaults -device sdhci-pci,sd-spec-version=3 -device \
sd-card,drive=mydrive -drive \
if=none,index=0,file=null-co://,format=raw,id=mydrive -nographic -qtest \
/dev/null -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001004
outw 0xcfc 0x02
write 0xe000002c 0x1 0x05
write 0xe000000f 0x1 0x37
write 0xe000000a 0x1 0x01
write 0xe000000f 0x1 0x29
write 0xe000000f 0x1 0x02
write 0xe000000f 0x1 0x03
write 0xe000000c 0x1 0x32
write 0xe000000f 0x1 0x06
write 0xe0000005 0x1 0x01
write 0xe0000007 0x1 0x01
write 0xe0000003 0x1 0x00
write 0xe000000f 0x1 0x11
write 0xe000002a 0x1 0x01
write 0xe000002a 0x1 0x02
write 0xe000000f 0x1 0x0d
write 0xe000002a 0x1 0x01
write 0xe000002a 0x1 0x02
EOF

Stack-Trace

../hw/sd/sd.c:1984:15: runtime error: index 256 out of bounds for type 'uint8_t [64]'
#0 sd_read_byte hw/sd/sd.c:1984:15
#1 sdbus_read_data hw/sd/core.c:157:23
#2 sdhci_read_block_from_card hw/sd/sdhci.c:423:9
#3 sdhci_blkgap_write hw/sd/sdhci.c:1074:13
#4 sdhci_write hw/sd/sdhci.c:1195:13
#5 memory_region_write_accessor softmmu/memory.c:492:5
#6 access_with_adjusted_size softmmu/memory.c:554:18
#7 memory_region_dispatch_write softmmu/memory.c
#8 flatview_write_continue softmmu/physmem.c:2778:23
#9 flatview_write softmmu/physmem.c:2818:14
#10 address_space_write softmmu/physmem.c:2910:18
#11 qtest_process_command softmmu/qtest.c:670:9
#12 qtest_process_inbuf softmmu/qtest.c:813:9
#13 fd_chr_read chardev/char-fd.c:68:9
#14 g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51d6e)
#15 glib_pollfds_poll util/main-loop.c:232:9
#16 os_host_main_loop_wait util/main-loop.c:255:5
#17 main_loop_wait util/main-loop.c:531:11
#18 qemu_main_loop softmmu/runstate.c:726:9
#19 main softmmu/main.c:50:5

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/sd/sd.c:1984:15 in

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36240

Thank you

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information