hw/sd/sdcard: fix potential out-of-bounds read in rpmb_calc_hmac

[PATCH] hw/sd/sdcard: fix potential out-of-bounds read in rpmb_calc_hmac

zhaoguohan_salmon@163.com posted 1 patch 1 week, 1 day ago

Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20251106072818.25075-1-zhaoguohan._5Fsalmon@163.com

Maintainers: "Philippe Mathieu-Daudé" <philmd@linaro.org>, Bin Meng <bmeng.cn@gmail.com>

hw/sd/sd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

Expand all Fold all

[PATCH] hw/sd/sdcard: fix potential out-of-bounds read in rpmb_calc_hmac

Posted by zhaoguohan_salmon@163.com 1 week, 1 day ago

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

Coverity reported a potential out-of-bounds read in rpmb_calc_hmac():

CID 1642869: Out-of-bounds read (OVERRUN)
Overrunning array of 256 bytes at byte offset 256 by dereferencing
pointer &frame->data[256].

The issue arises from using &frame->data[RPMB_DATA_LEN] as the source
pointer for memcpy(). Although computing a one-past-the-end pointer is
legal, dereferencing it (as memcpy() does) is undefined behavior in C.

Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
---
 hw/sd/sd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 9c86c016cc9d..bc2e9863a534 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1161,7 +1161,8 @@ static bool rpmb_calc_hmac(SDState *sd, const RPMBDataFrame *frame,
 
         assert(RPMB_HASH_LEN <= sizeof(sd->data));
 
-        memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN],
+        memcpy((uint8_t *)buf + RPMB_DATA_LEN,
+               (const uint8_t *)frame + RPMB_DATA_LEN,
                RPMB_HASH_LEN - RPMB_DATA_LEN);
         offset = lduw_be_p(&frame->address) * RPMB_DATA_LEN + sd_part_offset(sd);
         do {
-- 
2.43.0