From nobody Fri Nov 14 15:23:51 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=163.com ARC-Seal: i=1; a=rsa-sha256; t=1762414160; cv=none; d=zohomail.com; s=zohoarc; b=Hym6Ke0l0gypPNbOV/5Lp54rK7Bvlc3IAimD3YlVGyaB9X0oAVRalINE7IGk0nBHcTAmTPpUZBPzky+Wg4OxaKDUGGQJqI707sEuUXVs2vWR66A3aRpKPmUhNXMMquxLgNYeeefFPiw8jhR2FxQqBDlFGi7ZOHl2FMfjcKz8H3M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762414160; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=bpACfAURtyUw3Lb4RS8O/oa7wAycogaQ/LLp7zbYBkw=; b=iaFKrwrq5L6xIg0+owteDRK3Nv4b2GNCUnCayHKQfGIrswJhcb4oLJlbK+gyTX1Y7v7z5JkmdzNfB37148rg21gGQjKSkr2qDzaq/97Bv/JaPHMRmAGDABnm5TWL/6yVKXAPVa4NfuWs0RkVvmuCH3oEgHnaEqeB7+ljhKo8bic= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1762414160544708.7439793189484; Wed, 5 Nov 2025 23:29:20 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vGuQL-0001eS-R6; Thu, 06 Nov 2025 02:28:50 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vGuQI-0001e6-71; Thu, 06 Nov 2025 02:28:46 -0500 Received: from m16.mail.163.com ([117.135.210.3]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vGuQF-0005K7-Dx; Thu, 06 Nov 2025 02:28:45 -0500 Received: from localhost.localdomain (unknown []) by gzga-smtp-mtada-g1-4 (Coremail) with SMTP id _____wD3b6AUTgxpUifSBw--.36751S2; Thu, 06 Nov 2025 15:28:21 +0800 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:To:Subject:Date:Message-ID:MIME-Version; bh=bp ACfAURtyUw3Lb4RS8O/oa7wAycogaQ/LLp7zbYBkw=; b=PgeOhifoVK8N2x0H2A HCGk6tKCZD0ZdfEeCTYR3LgcfSTfPMG+mToxFJSeaq2XGA/PxJ94BKiZQUK6nX8C EtCumZFvT/OJMMBZxoLheVdzWgfzLf5am9jyjWCcITrSh4z7y/q/C2532oTkSxiG QMqC9YezFh7tgBFit29ssEz10= From: zhaoguohan_salmon@163.com To: philmd@linaro.org, bmeng.cn@gmail.com Cc: qemu-block@nongnu.org, qemu-devel@nongnu.org, GuoHan Zhao Subject: [PATCH] hw/sd/sdcard: fix potential out-of-bounds read in rpmb_calc_hmac Date: Thu, 6 Nov 2025 15:28:18 +0800 Message-ID: <20251106072818.25075-1-zhaoguohan_salmon@163.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: _____wD3b6AUTgxpUifSBw--.36751S2 X-Coremail-Antispam: 1Uf129KBjvdXoWrtw43Zr48CryUZF13XryxKrg_yoWkZwb_Za 45ArsxXFnrJr13Gws8Ar47tFy0ya9rA3ykGF4DJFW7AFZIq398tFnrtr4fA3sxCa1UJF1D Cw4q9F1Yqa1avjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IU8k-BtUUUUU== X-Originating-IP: [116.128.244.169] X-CM-SenderInfo: 52kd0wpxrkt0xbvdzzlrq6il2tof0z/xtbBgBj4EGkFnXyDkwACsv Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=117.135.210.3; envelope-from=zhaoguohan_salmon@163.com; helo=m16.mail.163.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @163.com) X-ZM-MESSAGEID: 1762414164670154100 Content-Type: text/plain; charset="utf-8" From: GuoHan Zhao Coverity reported a potential out-of-bounds read in rpmb_calc_hmac(): CID 1642869: Out-of-bounds read (OVERRUN) Overrunning array of 256 bytes at byte offset 256 by dereferencing pointer &frame->data[256]. The issue arises from using &frame->data[RPMB_DATA_LEN] as the source pointer for memcpy(). Although computing a one-past-the-end pointer is legal, dereferencing it (as memcpy() does) is undefined behavior in C. Signed-off-by: GuoHan Zhao --- hw/sd/sd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 9c86c016cc9d..bc2e9863a534 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1161,7 +1161,8 @@ static bool rpmb_calc_hmac(SDState *sd, const RPMBDat= aFrame *frame, =20 assert(RPMB_HASH_LEN <=3D sizeof(sd->data)); =20 - memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN], + memcpy((uint8_t *)buf + RPMB_DATA_LEN, + (const uint8_t *)frame + RPMB_DATA_LEN, RPMB_HASH_LEN - RPMB_DATA_LEN); offset =3D lduw_be_p(&frame->address) * RPMB_DATA_LEN + sd_part_of= fset(sd); do { --=20 2.43.0