From: GuoHan Zhao <[email protected]> Coverity reported a potential out-of-bounds read in rpmb_calc_hmac():
CID 1642869: Out-of-bounds read (OVERRUN) Overrunning array of 256 bytes at byte offset 256 by dereferencing pointer &frame->data[256]. The issue arises from using &frame->data[RPMB_DATA_LEN] as the source pointer for memcpy(). Although computing a one-past-the-end pointer is legal, dereferencing it (as memcpy() does) is undefined behavior in C. Signed-off-by: GuoHan Zhao <[email protected]> --- hw/sd/sd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 9c86c016cc9d..bc2e9863a534 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1161,7 +1161,8 @@ static bool rpmb_calc_hmac(SDState *sd, const RPMBDataFrame *frame, assert(RPMB_HASH_LEN <= sizeof(sd->data)); - memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN], + memcpy((uint8_t *)buf + RPMB_DATA_LEN, + (const uint8_t *)frame + RPMB_DATA_LEN, RPMB_HASH_LEN - RPMB_DATA_LEN); offset = lduw_be_p(&frame->address) * RPMB_DATA_LEN + sd_part_offset(sd); do { -- 2.43.0
