From: Jan Kiszka <[email protected]> >From the source frame, we initially need to copy out all fields after data, thus starting from nonce on. Avoid expressing this indirectly by pointing to the end of the data field - which also raised the attention of Coverity (out-of-bound read /wrt data).
Resolves: CID 1642869 Reported-by: GuoHan Zhao <[email protected]> Signed-off-by: Jan Kiszka <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> [PMD: Add comment before the memcpy() call] Signed-off-by: Philippe Mathieu-Daudé <[email protected]> --- hw/sd/sd.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index df5a36fad9d..40a75a43ffb 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1160,8 +1160,13 @@ static bool rpmb_calc_hmac(SDState *sd, const RPMBDataFrame *frame, assert(RPMB_HASH_LEN <= sizeof(sd->data)); - memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN], + /* + * We will hash everything from data field to the end of RPMBDataFrame. + */ + memcpy((uint8_t *)buf + RPMB_DATA_LEN, + (uint8_t *)frame + offsetof(RPMBDataFrame, nonce), RPMB_HASH_LEN - RPMB_DATA_LEN); + offset = lduw_be_p(&frame->address) * RPMB_DATA_LEN + sd_part_offset(sd); do { if (blk_pread(sd->blk, offset, RPMB_DATA_LEN, buf, 0) < 0) { -- 2.51.0
