hw/misc/aspeed_hace: Fix buffer overflow in has_padding function

The maximum padding size is either 64 or 128 bytes and should always be smaller than "req_len". If "padding_size" exceeds "req_len", then "req_len - padding_size" underflows due to "uint32_t" data type, leading to a large incorrect value (e.g., `0xFFXXXXXX`). This causes an out-of-bounds memory access, potentially leading to a buffer overflow. Added a check to ensure "padding_size" does not exceed "req_len" before computing "pad_offset". This prevents "req_len - padding_size" from underflowing and avoids accessing invalid memory. Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Fixes: 5cd7d8564a ("aspeed/hace: Support AST2600 HACE ") Link: https://lore.kernel.org/qemu-devel/20250321092623.2097234-3-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
2026-02-18 02:12:13 -07:00 · 2025-03-21 17:25:58 +08:00 · 2025-03-21 17:25:58 +08:00 · 78877b2e06
commit 78877b2e06
parent 7b8cbe5162
1 changed files with 5 additions and 0 deletions
--- a/hw/misc/aspeed_hace.c
+++ b/hw/misc/aspeed_hace.c
@ -128,6 +128,11 @@ static bool has_padding(AspeedHACEState *s, struct iovec *iov,
    if (*total_msg_len <= s->total_req_len) {
        uint32_t padding_size = s->total_req_len - *total_msg_len;
        uint8_t *padding = iov->iov_base;
+
+        if (padding_size > req_len) {
+            return false;
+        }
+
        *pad_offset = req_len - padding_size;
        if (padding[*pad_offset] == 0x80) {
            return true;