[PULL 08/18] hw/sd/sdcard: Avoid confusing address calculation in rpmb_calc_hmac

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Subject: [PULL 08/18] hw/sd/sdcard: Avoid confusing address calculation in rpmb_calc_hmac
Date: Tue, 18 Nov 2025 20:00:43 +0100	[thread overview]
Message-ID: <20251118190053.39015-9-philmd@linaro.org> (raw)
In-Reply-To: <20251118190053.39015-1-philmd@linaro.org>

From: Jan Kiszka <jan.kiszka@siemens.com>

From the source frame, we initially need to copy out all fields after
data, thus starting from nonce on. Avoid expressing this indirectly by
pointing to the end of the data field - which also raised the attention
of Coverity (out-of-bound read /wrt data).

Resolves: CID 1642869
Reported-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <4f7e1952-ecbd-4484-b128-9d02de3a7935@siemens.com>
[PMD: Add comment before the memcpy() call]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/sd/sd.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index df5a36fad9d..40a75a43ffb 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1160,8 +1160,13 @@ static bool rpmb_calc_hmac(SDState *sd, const RPMBDataFrame *frame,
 
         assert(RPMB_HASH_LEN <= sizeof(sd->data));
 
-        memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN],
+        /*
+         * We will hash everything from data field to the end of RPMBDataFrame.
+         */
+        memcpy((uint8_t *)buf + RPMB_DATA_LEN,
+               (uint8_t *)frame + offsetof(RPMBDataFrame, nonce),
                RPMB_HASH_LEN - RPMB_DATA_LEN);
+
         offset = lduw_be_p(&frame->address) * RPMB_DATA_LEN + sd_part_offset(sd);
         do {
             if (blk_pread(sd->blk, offset, RPMB_DATA_LEN, buf, 0) < 0) {
-- 
2.51.0

next prev parent reply	other threads:[~2025-11-18 19:02 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-18 19:00 [PULL 00/18] Misc HW patches for 2025-11-18 Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 01/18] MAINTAINERS: Update David Hildenbrand's email address Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 02/18] hw/intc/ioapic: Fix ACCEL_KERNEL_GSI_IRQFD_POSSIBLE typo Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 03/18] system/qtest.c: Allow for multiple CHR_EVENT_CLOSED events Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 04/18] hw/sd: Fix incorrect idle state reporting in R1 response for SPI mode Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 05/18] hw/sd: Fix ACMD41 state machine in " Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 06/18] hw/dma/zynq-devcfg: Fix register memory Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 07/18] hw/arm: Re-enable xenpvh machine in qemu-system-arm/aarch64 binaries Philippe Mathieu-Daudé
2025-11-18 19:00 ` Philippe Mathieu-Daudé [this message]
2025-11-18 19:00 ` [PULL 09/18] qga/commands: Include proper Solaris header for getloadavg() Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 10/18] hw/southbridge/lasi: Correct LasiState parent Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 11/18] buildsys: Remove dead 'mips' entry in supported_cpus[] array Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 12/18] migration/rdma: Check ntohll() availability with meson Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 13/18] docs: Correct release of MIPS deprecations / removals Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 14/18] docs: Mention 32-bit PPC host as removed Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 15/18] scripts/checkpatch: Check DEVICE_NATIVE_ENDIAN Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 16/18] ebpf: Fix stubs to set an error when they return failure Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 17/18] ebpf: Clean up useless error check in ebpf_rss_set_all() Philippe Mathieu-Daudé
2025-11-18 19:00 ` [PULL 18/18] ebpf: Make ebpf_rss_load() return value consistent with @errp Philippe Mathieu-Daudé
2025-11-19  9:45 ` [PULL 00/18] Misc HW patches for 2025-11-18 Richard Henderson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:df5a36fad9 dfblob:40a75a43ff )
 OR (
bs:"[PULL 08/18] hw/sd/sdcard: Avoid confusing address calculation in rpmb_calc_hmac" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251118190053.39015-9-philmd@linaro.org \
    --to=philmd@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).