From: Peter Maydell <peter.maydell@linaro.org>
To: zhaoguohan_salmon@163.com
Cc: philmd@linaro.org, bmeng.cn@gmail.com, qemu-block@nongnu.org,
qemu-devel@nongnu.org, GuoHan Zhao <zhaoguohan@kylinos.cn>,
Jan Kiszka <jan.kiszka@siemens.com>
Subject: Re: [PATCH] hw/sd/sdcard: fix potential out-of-bounds read in rpmb_calc_hmac
Date: Fri, 14 Nov 2025 13:39:46 +0000 [thread overview]
Message-ID: <CAFEAcA8iWqAgZzH7u3jYTEb-fjjsBWAp3WJY24xAKN8CpdVw9Q@mail.gmail.com> (raw)
In-Reply-To: <20251106072818.25075-1-zhaoguohan_salmon@163.com>
On Thu, 6 Nov 2025 at 07:29, <zhaoguohan_salmon@163.com> wrote:
>
> From: GuoHan Zhao <zhaoguohan@kylinos.cn>
>
> Coverity reported a potential out-of-bounds read in rpmb_calc_hmac():
>
> CID 1642869: Out-of-bounds read (OVERRUN)
> Overrunning array of 256 bytes at byte offset 256 by dereferencing
> pointer &frame->data[256].
>
> The issue arises from using &frame->data[RPMB_DATA_LEN] as the source
> pointer for memcpy(). Although computing a one-past-the-end pointer is
> legal, dereferencing it (as memcpy() does) is undefined behavior in C.
>
> Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
> ---
> hw/sd/sd.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 9c86c016cc9d..bc2e9863a534 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -1161,7 +1161,8 @@ static bool rpmb_calc_hmac(SDState *sd, const RPMBDataFrame *frame,
>
> assert(RPMB_HASH_LEN <= sizeof(sd->data));
>
> - memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN],
> + memcpy((uint8_t *)buf + RPMB_DATA_LEN,
> + (const uint8_t *)frame + RPMB_DATA_LEN,
> RPMB_HASH_LEN - RPMB_DATA_LEN);
> offset = lduw_be_p(&frame->address) * RPMB_DATA_LEN + sd_part_offset(sd);
> do {
What is this code even trying to do ? We define a RPMBDataFrame
which is a packed struct, but now we're randomly memcpying
a lump of data out of the middle of it ??
The start of the struct is
uint8_t stuff_bytes[RPMB_STUFF_LEN]; // offset 0
uint8_t key_mac[RPMB_KEY_MAC_LEN]; // offset 196
uint8_t data[RPMB_DATA_LEN]; // offset 228
uint8_t nonce[RPMB_NONCE_LEN]; // offset 484
so frame + RPMB_DATA_LEN (256) starts 28 bytes into the data
array; and then we're copying 28 bytes of data?
The existing code (frame->data[RPMB_DATA_LEN]) doesn't make
sense either, as that's a weird way to write frame->nonce,
and the RPMB_NONCE_LEN doesn't have the same length as what
we're copying either.
Can somebody who understands this explain what this code
is intended to be doing ?
thanks
-- PMM
next prev parent reply other threads:[~2025-11-14 13:40 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-06 7:28 [PATCH] hw/sd/sdcard: fix potential out-of-bounds read in rpmb_calc_hmac zhaoguohan_salmon
2025-11-14 13:39 ` Peter Maydell [this message]
2025-11-14 20:10 ` Jan Kiszka
2025-11-14 20:26 ` Philippe Mathieu-Daudé
2025-11-14 20:27 ` Jan Kiszka
2025-11-14 20:34 ` Philippe Mathieu-Daudé
2025-11-14 20:42 ` Jan Kiszka
2025-11-14 20:44 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFEAcA8iWqAgZzH7u3jYTEb-fjjsBWAp3WJY24xAKN8CpdVw9Q@mail.gmail.com \
--to=peter.maydell@linaro.org \
--cc=bmeng.cn@gmail.com \
--cc=jan.kiszka@siemens.com \
--cc=philmd@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=zhaoguohan@kylinos.cn \
--cc=zhaoguohan_salmon@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).