diff options
| author | Jamin Lin <jamin_lin@aspeedtech.com> | 2025-03-21 17:25:58 +0800 |
|---|---|---|
| committer | Cédric Le Goater <clg@redhat.com> | 2025-03-23 18:42:16 +0100 |
| commit | 78877b2e06464f49f777e086845e094ea7bc82ef (patch) | |
| tree | c0d3b0014ab56b1d5c4df1aeb7286184c431213b /scripts/rust | |
| parent | 7b8cbe5162e69ad629c5326bf3c158b81857955d (diff) | |
| download | qemu-78877b2e06464f49f777e086845e094ea7bc82ef.zip qemu-78877b2e06464f49f777e086845e094ea7bc82ef.tar.gz qemu-78877b2e06464f49f777e086845e094ea7bc82ef.tar.bz2 | |
hw/misc/aspeed_hace: Fix buffer overflow in has_padding function
The maximum padding size is either 64 or 128 bytes and should always be smaller
than "req_len". If "padding_size" exceeds "req_len", then
"req_len - padding_size" underflows due to "uint32_t" data type, leading to a
large incorrect value (e.g., `0xFFXXXXXX`). This causes an out-of-bounds memory
access, potentially leading to a buffer overflow.
Added a check to ensure "padding_size" does not exceed "req_len" before
computing "pad_offset". This prevents "req_len - padding_size" from underflowing
and avoids accessing invalid memory.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Fixes: 5cd7d8564a8b563da724b9e6264c967f0a091afa ("aspeed/hace: Support AST2600 HACE ")
Link: https://lore.kernel.org/qemu-devel/20250321092623.2097234-3-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Diffstat (limited to 'scripts/rust')
0 files changed, 0 insertions, 0 deletions