qemu/hw-ufs-Fix-buffer-overflow-bug.patch

From 73fecb1c0fab9a1e0593b769c36bdc795c9316ae Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Wed, 15 May 2024 15:52:28 +0800
Subject: [PATCH] hw/ufs: Fix buffer overflow bug

cheery-pick from f2c8aeb1afefcda92054c448b21fc59cdd99db30

It fixes the buffer overflow vulnerability in the ufs device.
The bug was detected by sanitizers.

You can reproduce it by:

cat << EOF |\
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \
file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \
ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000058 0x1 0xa7
write 0xa 0x1 0x50
EOF

Resolves: #2299
Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
 hw/ufs/ufs.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
index eccdb852a0..bac78a32bb 100644
--- a/hw/ufs/ufs.c
+++ b/hw/ufs/ufs.c
@@ -126,6 +126,10 @@ static MemTxResult ufs_dma_read_req_upiu(UfsRequest *req)
     copy_size = sizeof(UtpUpiuHeader) + UFS_TRANSACTION_SPECIFIC_FIELD_SIZE +
                 data_segment_length;
 
+    if (copy_size > sizeof(req->req_upiu)) {
+        copy_size = sizeof(req->req_upiu);
+    }
+
     ret = ufs_addr_read(u, req_upiu_base_addr, &req->req_upiu, copy_size);
     if (ret) {
         trace_ufs_err_dma_read_req_upiu(req->slot, req_upiu_base_addr);
@@ -225,6 +229,10 @@ static MemTxResult ufs_dma_write_rsp_upiu(UfsRequest *req)
         copy_size = rsp_upiu_byte_len;
     }
 
+    if (copy_size > sizeof(req->rsp_upiu)) {
+        copy_size = sizeof(req->rsp_upiu);
+    }
+
     ret = ufs_addr_write(u, rsp_upiu_base_addr, &req->rsp_upiu, copy_size);
     if (ret) {
         trace_ufs_err_dma_write_rsp_upiu(req->slot, rsp_upiu_base_addr);
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-14； - target/riscv/cpu.c: fix Zvkb extension config - target/i386: Add new Hygon 'Dharma' CPU model - target/i386: Add Hygon Dhyana-v3 CPU model - ui/gtk: Fix mouse/motion event scaling issue with GTK display backend - hw/ufs: Fix buffer overflow bug - arm/virt: Set vcpus_count of CPU as 1 to compatible with libvirt - ppc/pnv: I2C controller is not user creatablei Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> 2024-06-15 08:53:45 +08:00			`From 73fecb1c0fab9a1e0593b769c36bdc795c9316ae Mon Sep 17 00:00:00 2001`
			`From: qihao <qihao_yewu@cmss.chinamobile.com>`
			`Date: Wed, 15 May 2024 15:52:28 +0800`
			`Subject: [PATCH] hw/ufs: Fix buffer overflow bug`

			`cheery-pick from f2c8aeb1afefcda92054c448b21fc59cdd99db30`

			`It fixes the buffer overflow vulnerability in the ufs device.`
			`The bug was detected by sanitizers.`

			`You can reproduce it by:`

			`cat << EOF \|\`
			`qemu-system-x86_64 \`
			`-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \`
			`file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \`
			`ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio`
			`outl 0xcf8 0x80000810`
			`outl 0xcfc 0xe0000000`
			`outl 0xcf8 0x80000804`
			`outw 0xcfc 0x06`
			`write 0xe0000058 0x1 0xa7`
			`write 0xa 0x1 0x50`
			`EOF`

			`Resolves: #2299`
			`Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")`
			`Reported-by: Zheyu Ma <zheyuma97@gmail.com>`
			`Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>`
			`Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>`
			`---`
			`hw/ufs/ufs.c \| 8 ++++++++`
			`1 file changed, 8 insertions(+)`

			`diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c`
			`index eccdb852a0..bac78a32bb 100644`
			`--- a/hw/ufs/ufs.c`
			`+++ b/hw/ufs/ufs.c`
			`@@ -126,6 +126,10 @@ static MemTxResult ufs_dma_read_req_upiu(UfsRequest *req)`
			`copy_size = sizeof(UtpUpiuHeader) + UFS_TRANSACTION_SPECIFIC_FIELD_SIZE +`
			`data_segment_length;`

			`+ if (copy_size > sizeof(req->req_upiu)) {`
			`+ copy_size = sizeof(req->req_upiu);`
			`+ }`
			`+`
			`ret = ufs_addr_read(u, req_upiu_base_addr, &req->req_upiu, copy_size);`
			`if (ret) {`
			`trace_ufs_err_dma_read_req_upiu(req->slot, req_upiu_base_addr);`
			`@@ -225,6 +229,10 @@ static MemTxResult ufs_dma_write_rsp_upiu(UfsRequest *req)`
			`copy_size = rsp_upiu_byte_len;`
			`}`

			`+ if (copy_size > sizeof(req->rsp_upiu)) {`
			`+ copy_size = sizeof(req->rsp_upiu);`
			`+ }`
			`+`
			`ret = ufs_addr_write(u, rsp_upiu_base_addr, &req->rsp_upiu, copy_size);`
			`if (ret) {`
			`trace_ufs_err_dma_write_rsp_upiu(req->slot, rsp_upiu_base_addr);`
			`--`
			`2.41.0.windows.1`