From: "Cédric Le Goater" <clg@redhat.com>
To: Kane Chen <kane_chen@aspeedtech.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"qemu-arm@nongnu.org" <qemu-arm@nongnu.org>
Cc: Peter Maydell <peter.maydell@linaro.org>,
Steven Lee <steven_lee@aspeedtech.com>,
Troy Lee <leetroy@gmail.com>,
Jamin Lin <jamin_lin@aspeedtech.com>
Subject: Re: [PATCH 0/2] aspeed/hace: security fixes
Date: Wed, 6 May 2026 14:27:55 +0200 [thread overview]
Message-ID: <7d05a03d-9f29-4b7c-90ce-b61d23e5d07e@redhat.com> (raw)
In-Reply-To: <SI6PR06MB7631B46DF67C1532B154FFE1F73F2@SI6PR06MB7631.apcprd06.prod.outlook.com>
On 5/6/26 11:53, Kane Chen wrote:
>> -----Original Message-----
>> From: Cédric Le Goater <clg@redhat.com>
>> Sent: Tuesday, May 5, 2026 5:34 AM
>> To: qemu-devel@nongnu.org; qemu-arm@nongnu.org
>> Cc: Peter Maydell <peter.maydell@linaro.org>; Steven Lee
>> <steven_lee@aspeedtech.com>; Troy Lee <leetroy@gmail.com>; Jamin Lin
>> <jamin_lin@aspeedtech.com>; Kane Chen <kane_chen@aspeedtech.com>; Cé
>> dric Le Goater <clg@redhat.com>
>> Subject: [PATCH 0/2] aspeed/hace: security fixes
>>
>> Hello,
>>
>> A couple of issues in the Aspeed HACE model were reported on the
>> qemu-security list. Here are fixes.
>>
>> Thanks,
>>
>> C.
>>
>> Cédric Le Goater (2):
>> aspeed/hace: Fix out-of-bounds read in has_padding()
>> aspeed/hace: Prevent total_req_len overflow
>>
>> hw/misc/aspeed_hace.c | 29 +++++++++++++++++++++++++++--
>> 1 file changed, 27 insertions(+), 2 deletions(-)
>>
>> --
>> 2.54.0
>
> Hi Cédric,
>
> Thank you for fixing the defects. These changes look good. However,
> I have one question regarding another potential issue.
>
> In the do_hash_operation function, after calling hash_prepare_sg_iov
> and hash_prepare_direct_iov, the function may return early if iov_idx
> is -1. In this case, the code flow will not reach hash_execute_acc_mode
> or hash_execute_non_acc_mode, which means the mapped address may not be
> unmapped properly.
>
> I think we may also need to unmap the address when this error condition
> occurs. Do you think this should be included in this patch series, or
> would a separate patch be preferred?
>
> If a separate patch is preferred,
yes. Do you have time for it ?
> then for this patch series:
> Reviewed-by: Kane Chen kane_chen@aspeedtech.com
Thanks,
C.
next prev parent reply other threads:[~2026-05-06 12:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 21:34 [PATCH 0/2] aspeed/hace: security fixes Cédric Le Goater
2026-05-04 21:34 ` [PATCH 1/2] aspeed/hace: Fix out-of-bounds read in has_padding() Cédric Le Goater
2026-05-04 21:34 ` [PATCH 2/2] aspeed/hace: Prevent total_req_len overflow Cédric Le Goater
2026-05-14 19:13 ` Michael Tokarev
2026-05-06 9:53 ` [PATCH 0/2] aspeed/hace: security fixes Kane Chen
2026-05-06 12:27 ` Cédric Le Goater [this message]
2026-05-07 2:23 ` Kane Chen
2026-05-06 15:28 ` Cédric Le Goater
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7d05a03d-9f29-4b7c-90ce-b61d23e5d07e@redhat.com \
--to=clg@redhat.com \
--cc=jamin_lin@aspeedtech.com \
--cc=kane_chen@aspeedtech.com \
--cc=leetroy@gmail.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=steven_lee@aspeedtech.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.