hw/misc/aspeed_sbc: Add bounds checking for OTP write operations

[PATCH v1 0/1] hw/misc/aspeed_sbc: Add bounds checking for OTP write operations

Kane Chen posted 1 patch 1 month ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260428055254.76581-1-kane._5Fchen@aspeedtech.com

Maintainers: "Cédric Le Goater" <clg@kaod.org>, Peter Maydell <peter.maydell@linaro.org>, Steven Lee <steven_lee@aspeedtech.com>, Troy Lee <leetroy@gmail.com>, Jamin Lin <jamin_lin@aspeedtech.com>, Kane Chen <kane_chen@aspeedtech.com>, Andrew Jeffery <andrew@codeconstruct.com.au>, Joel Stanley <joel@jms.id.au>

hw/misc/aspeed_sbc.c  | 14 +++++++++++---
hw/nvram/aspeed_otp.c | 13 ++++++-------
2 files changed, 17 insertions(+), 10 deletions(-)

Expand all Fold all

[PATCH v1 0/1] hw/misc/aspeed_sbc: Add bounds checking for OTP write operations

Posted by Kane Chen 1 month ago

This series fixes a bounds issue in Aspeed OTP programming through the
Secure Boot Controller path.

The guest-provided OTP address is word-indexed in the SBC model, but
the OTP device write path operates on byte offsets. Passing the value
through without validation/conversion could lead to out-of-range writes.

The patch adds bounds checking in aspeed_sbc_otp_prog() before
converting the address to a byte offset, and aligns the OTP write
helper interfaces with byte-offset semantics.

The patch has been validated by a functional test and by the boundary
test documented at:
https://gitlab.com/qemu-project/qemu/-/work_items/3436

Kane-Chen-AS (1):
  hw/misc/aspeed_sbc: Add bounds checking for OTP write operations

 hw/misc/aspeed_sbc.c  | 14 +++++++++++---
 hw/nvram/aspeed_otp.c | 13 ++++++-------
 2 files changed, 17 insertions(+), 10 deletions(-)

-- 
2.43.0