From: "Cédric Le Goater" <clg@redhat.com>
To: qemu-devel@nongnu.org, qemu-arm@nongnu.org
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Steven Lee" <steven_lee@aspeedtech.com>,
"Troy Lee" <leetroy@gmail.com>,
"Jamin Lin" <jamin_lin@aspeedtech.com>,
"Kane Chen" <kane_chen@aspeedtech.com>,
"Cédric Le Goater" <clg@redhat.com>,
"Katherine Leaver" <katherine.j.leaver@gmail.com>,
qemu-stable@nongnu.org
Subject: [PATCH 1/2] aspeed/hace: Fix out-of-bounds read in has_padding()
Date: Mon, 4 May 2026 23:34:20 +0200 [thread overview]
Message-ID: <20260504213421.710035-2-clg@redhat.com> (raw)
In-Reply-To: <20260504213421.710035-1-clg@redhat.com>
The has_padding() function reads the last 8 bytes of a DMA buffer
without validating req_len. req_len is guest-controlled (via
R_HASH_SRC_LEN register or scatter-gather entries) and values less
than 8 cause integer underflow. This can result in an out-of-bounds
read of QEMU process memory.
Add a check to ensure req_len >= 8 before accessing the buffer.
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Cc: qemu-stable@nongnu.org
Fixes: 5cd7d8564a8b ("aspeed/hace: Support AST2600 HACE")
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
hw/misc/aspeed_hace.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/misc/aspeed_hace.c b/hw/misc/aspeed_hace.c
index 23e8030cd966..ef698b3ecb72 100644
--- a/hw/misc/aspeed_hace.c
+++ b/hw/misc/aspeed_hace.c
@@ -154,6 +154,14 @@ static bool has_padding(AspeedHACEState *s, struct iovec *iov,
hwaddr req_len, uint32_t *total_msg_len,
uint32_t *pad_offset)
{
+ /* Need at least 8 bytes to read the total message length field */
+ if (req_len < 8) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid request length=0x%" HWADDR_PRIx "\n",
+ __func__, req_len);
+ return false;
+ }
+
*total_msg_len = (uint32_t)(ldq_be_p(iov->iov_base + req_len - 8) / 8);
/*
* SG_LIST_LEN_LAST asserted in the request length doesn't mean it is the
--
2.54.0
next prev parent reply other threads:[~2026-05-04 21:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 21:34 [PATCH 0/2] aspeed/hace: security fixes Cédric Le Goater
2026-05-04 21:34 ` Cédric Le Goater [this message]
2026-05-04 21:34 ` [PATCH 2/2] aspeed/hace: Prevent total_req_len overflow Cédric Le Goater
2026-05-14 19:13 ` Michael Tokarev
2026-05-06 9:53 ` [PATCH 0/2] aspeed/hace: security fixes Kane Chen
2026-05-06 12:27 ` Cédric Le Goater
2026-05-07 2:23 ` Kane Chen
2026-05-06 15:28 ` Cédric Le Goater
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260504213421.710035-2-clg@redhat.com \
--to=clg@redhat.com \
--cc=jamin_lin@aspeedtech.com \
--cc=kane_chen@aspeedtech.com \
--cc=katherine.j.leaver@gmail.com \
--cc=leetroy@gmail.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=steven_lee@aspeedtech.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.