Re: [PATCH] hw/sd/sdcard: fix potential out-of-bounds read in rpmb_calc_hmac

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Peter Maydell <peter.maydell@linaro.org>, zhaoguohan_salmon@163.com
Cc: bmeng.cn@gmail.com, qemu-block@nongnu.org, qemu-devel@nongnu.org,
	GuoHan Zhao <zhaoguohan@kylinos.cn>,
	Jan Kiszka <jan.kiszka@siemens.com>
Subject: Re: [PATCH] hw/sd/sdcard: fix potential out-of-bounds read in rpmb_calc_hmac
Date: Fri, 14 Nov 2025 21:26:17 +0100	[thread overview]
Message-ID: <b4d9cac0-8f72-47c2-8357-021c6d6efbc4@linaro.org> (raw)
In-Reply-To: <CAFEAcA8iWqAgZzH7u3jYTEb-fjjsBWAp3WJY24xAKN8CpdVw9Q@mail.gmail.com>

Hi Zhao, Peter,

On 14/11/25 14:39, Peter Maydell wrote:
> On Thu, 6 Nov 2025 at 07:29, <zhaoguohan_salmon@163.com> wrote:
>>
>> From: GuoHan Zhao <zhaoguohan@kylinos.cn>
>>
>> Coverity reported a potential out-of-bounds read in rpmb_calc_hmac():
>>
>> CID 1642869: Out-of-bounds read (OVERRUN)
>> Overrunning array of 256 bytes at byte offset 256 by dereferencing
>> pointer &frame->data[256].
>>
>> The issue arises from using &frame->data[RPMB_DATA_LEN] as the source
>> pointer for memcpy(). Although computing a one-past-the-end pointer is
>> legal, dereferencing it (as memcpy() does) is undefined behavior in C.
>>
>> Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
>> ---
>>   hw/sd/sd.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
>> index 9c86c016cc9d..bc2e9863a534 100644
>> --- a/hw/sd/sd.c
>> +++ b/hw/sd/sd.c
>> @@ -1161,7 +1161,8 @@ static bool rpmb_calc_hmac(SDState *sd, const RPMBDataFrame *frame,
>>
>>           assert(RPMB_HASH_LEN <= sizeof(sd->data));
>>
>> -        memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN],
>> +        memcpy((uint8_t *)buf + RPMB_DATA_LEN,
>> +               (const uint8_t *)frame + RPMB_DATA_LEN,
>>                  RPMB_HASH_LEN - RPMB_DATA_LEN);
>>           offset = lduw_be_p(&frame->address) * RPMB_DATA_LEN + sd_part_offset(sd);
>>           do {
> 
> What is this code even trying to do ? We define a RPMBDataFrame
> which is a packed struct, but now we're randomly memcpying
> a lump of data out of the middle of it ??
> 
> The start of the struct is
>      uint8_t stuff_bytes[RPMB_STUFF_LEN];  // offset 0
>      uint8_t key_mac[RPMB_KEY_MAC_LEN];    // offset 196
>      uint8_t data[RPMB_DATA_LEN];          // offset 228
>      uint8_t nonce[RPMB_NONCE_LEN];        // offset 484
> 
> so frame + RPMB_DATA_LEN (256) starts 28 bytes into the data
> array; and then we're copying 28 bytes of data?
> 
> The existing code (frame->data[RPMB_DATA_LEN]) doesn't make
> sense either, as that's a weird way to write frame->nonce,
> and the RPMB_NONCE_LEN doesn't have the same length as what
> we're copying either.

Indeed.

> Can somebody who understands this explain what this code
> is intended to be doing ?

We hash the frame data[] + nonce[], and work on the card block buffer
('buf'), filling it before hashing.

This change should clarify:

-- >8 --
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 9c86c016cc9..e60311e49a6 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -125 +125,2 @@ typedef struct SDProto {
-#define RPMB_HASH_LEN       284
+
+#define RPMB_HASH_LEN       (RPMB_DATA_LEN + RPMB_NONCE_LEN)
@@ -1164,2 +1165 @@ static bool rpmb_calc_hmac(SDState *sd, const 
RPMBDataFrame *frame,
-        memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN],
-               RPMB_HASH_LEN - RPMB_DATA_LEN);
+        memcpy((uint8_t *)buf + RPMB_DATA_LEN, frame->nonce, 
RPMB_NONCE_LEN);
---

Regards,

Phil.

next prev parent reply	other threads:[~2025-11-14 20:27 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-06  7:28 [PATCH] hw/sd/sdcard: fix potential out-of-bounds read in rpmb_calc_hmac zhaoguohan_salmon
2025-11-14 13:39 ` Peter Maydell
2025-11-14 20:10   ` Jan Kiszka
2025-11-14 20:26   ` Philippe Mathieu-Daudé [this message]
2025-11-14 20:27     ` Jan Kiszka
2025-11-14 20:34       ` Philippe Mathieu-Daudé
2025-11-14 20:42         ` Jan Kiszka
2025-11-14 20:44           ` Philippe Mathieu-Daudé

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9c86c016cc dfblob:e60311e49a )
 OR (
bs:"Re: [PATCH] hw/sd/sdcard: fix potential out-of-bounds read in rpmb_calc_hmac" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b4d9cac0-8f72-47c2-8357-021c6d6efbc4@linaro.org \
    --to=philmd@linaro.org \
    --cc=bmeng.cn@gmail.com \
    --cc=jan.kiszka@siemens.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=zhaoguohan@kylinos.cn \
    --cc=zhaoguohan_salmon@163.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).