motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2026-01-06 06:27:41 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions
qemu/hw
History
Exact
Jamin Lin a2d22778ad hw/misc/aspeed_hace: Fix buffer overflow in has_padding function 
The maximum padding size is either 64 or 128 bytes and should always be smaller
than "req_len". If "padding_size" exceeds "req_len", then
"req_len - padding_size" underflows due to "uint32_t" data type, leading to a
large incorrect value (e.g., `0xFFXXXXXX`). This causes an out-of-bounds memory
access, potentially leading to a buffer overflow.

Added a check to ensure "padding_size" does not exceed "req_len" before
computing "pad_offset". This prevents "req_len - padding_size" from underflowing
and avoids accessing invalid memory.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Fixes: 5cd7d8564a ("aspeed/hace: Support AST2600 HACE ")
Link: https://lore.kernel.org/qemu-devel/20250321092623.2097234-3-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
(cherry picked from commit 78877b2e06)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2025-03-24 23:49:58 +03:00
..
9pfs 9pfs: fix regression regarding CVE-2023-2861 2024-12-16 15:27:45 +03:00
acpi hmat acpi: Fix out of bounds access due to missing use of indirection 2024-03-13 21:52:34 +03:00
adc meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
alpha hw/pci: modify pci_setup_iommu() to set PCIIOMMUOps 2023-11-03 09:20:31 +01:00
arm Kconfig: Extract CONFIG_USB_CHIPIDEA from CONFIG_IMX 2025-03-22 10:52:51 +03:00
audio hw/audio/hda: fix memory leak on audio setup 2024-11-18 19:30:10 +03:00
avr hw/avr/atmega: Fix wrong initial value of stack pointer 2023-11-28 14:27:12 +01:00
block hw/block/nand: Fix out-of-bound access in NAND block buffer 2024-04-10 20:32:12 +03:00
char hw/char/bcm2835_aux: Fix assert when receive FIFO fills up 2024-08-28 08:37:14 +03:00
core qdev: Fix set_pci_devfn() to visit option only once 2024-11-26 19:06:00 +03:00
cpu hw/other: spelling fixes 2023-09-21 11:31:16 +03:00
cris Do not include exec/address-spaces.h if it's not really necessary 2021-05-02 17:24:51 +02:00
cxl hw/cxl/cxl-host: Fix segmentation fault when getting cxl-fmw property 2024-08-27 22:11:45 +03:00
display ui/win32: fix potential use-after-free with dbus shared memory 2024-11-08 13:02:41 +03:00
dma hw/dmax/xlnx_dpdma: fix handling of address_extension descriptor fields 2024-05-02 13:16:29 +03:00
gpio hw/gpio: npcm7xx: fixup out-of-bounds access 2025-03-22 10:52:51 +03:00
hppa hw/hppa/Kconfig: Fix building with "configure --without-default-devices" 2024-02-22 18:45:41 +03:00
hyperv vfio queue: 2023-11-07 09:41:52 +08:00
i2c hw/i2c: pmbus: reset page register for out of range reads 2023-11-07 13:08:49 +01:00
i386 amd_iommu: Use correct bitmask to set capability BAR 2025-03-22 10:52:51 +03:00
ide ide/via: Fix BAR4 value in legacy mode 2023-11-28 14:56:32 +01:00
input hw/input/stellaris_gamepad: Free StellarisGamepad::keycodes[] array 2023-11-27 15:27:46 +00:00
intc hw/intc/arm_gicv3_cpuif: Don't downgrade monitor traps for AArch32 EL3 2025-03-22 10:52:51 +03:00
ipack meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
ipmi hw/ipmi: Don't call vmstate_register() from instance_init() functions 2023-11-01 16:13:58 +01:00
isa hw/isa/vt82c686: Keep track of PIRQ/PINT pins separately 2024-04-16 17:27:39 +03:00
loongarch hw/loongarch/virt: Fix FDT memory node address width 2024-05-27 07:49:58 +03:00
m68k hw/core/machine: Constify MachineClass::valid_cpu_types[] 2023-11-20 15:30:59 +00:00
mem hw/cxl: Fix msix_notify: Assertion vector < dev->msix_entries_nr 2025-01-17 10:57:59 +03:00
microblaze hw/microblaze: Clean up local variable shadowing 2023-09-29 10:07:16 +02:00
mips hw/mips: LOONGSON3V depends on UNIMP device 2023-11-13 16:56:06 +01:00
misc hw/misc/aspeed_hace: Fix buffer overflow in has_padding function 2025-03-24 23:49:58 +03:00
net hw/net/smc91c111: Don't allow data register access to overrun buffer 2025-03-22 10:52:51 +03:00
nios2 target/nios2: Deprecate the Nios II architecture 2023-11-23 14:10:04 +00:00
nubus trace-events: Fix the name of the tracing.rst file 2023-09-08 13:08:51 +03:00
nvme hw/nvme: take a reference on the subsystem on vf realization 2024-12-16 15:27:45 +03:00
nvram hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] "pg0-lock" array 2023-11-27 15:27:45 +00:00
openrisc hw/openrisc/openrisc_sim: keep serial@90000000 as default 2024-12-16 15:27:45 +03:00
pci pci/msix: Fix msix pba read vector poll end calculation 2025-01-17 09:26:23 +03:00
pci-bridge hw/pci-bridge/cxl_downstream: Set default link width and link speed 2023-11-07 03:39:11 -05:00
pci-host pci-host: designware: Limit value range of iATU viewport register 2024-02-09 10:44:49 +03:00
pcmcia hw/pcmcia/pxa2xx: Inline pxa2xx_pcmcia_init() 2023-10-27 12:48:57 +01:00
ppc ppc/pnv/occ: Fix common area sensor offsets 2025-03-22 10:52:51 +03:00
rdma hw/rdma/vmw/pvrdma_cmd: Use correct struct in query_port() 2023-10-21 15:00:22 +03:00
remote hw/remote/vfio-user: Fix config space access byte order 2024-05-13 09:03:37 +03:00
riscv target/riscv/kvm: fix timebase-frequency when using KVM acceleration 2024-03-27 13:04:06 +03:00
rtc goldfish_rtc: Fix tick_offset migration 2025-03-22 10:52:51 +03:00
rx hw/rx/rx62n: Use qdev_prop_set_array() 2023-11-10 18:19:13 +01:00
s390x s390x/s390-virtio-ccw: don't crash on weird RAM sizes 2024-12-24 15:31:54 +03:00
scsi scsi: megasas: Internal cdbs have 16-byte length 2024-12-16 15:27:45 +03:00
sd hw/sd/sdhci: Reset @data_count index on invalid ADMA transfers 2024-08-28 08:37:14 +03:00
sensor hw/sensor: add ADM1266 device model 2023-11-07 13:08:49 +01:00
sh4 hw/other: spelling fixes 2023-09-21 11:31:16 +03:00
smbios hw/smbios: Fix port connector option validation 2024-02-13 21:06:20 +03:00
sparc other architectures: spelling fixes 2023-07-25 17:14:07 +03:00
sparc64 hw/sparc64/ebus: Access memory regions via pci_address_space_io() 2023-10-19 23:13:28 +02:00
ssi hw/ssi/xilinx_spips: fix an out of bound access 2023-11-27 15:38:43 +00:00
timer migration: Use vmstate_register_any() 2023-11-01 16:13:58 +01:00
tpm hw/tpm: spelling fixes 2023-09-20 07:54:34 +03:00
tricore hw/tricore: Log failing test in testdevice 2023-09-29 08:28:02 +02:00
ufs hw/ufs: Fix buffer overflow bug 2024-05-02 13:03:01 +03:00
usb Kconfig: Extract CONFIG_USB_CHIPIDEA from CONFIG_IMX 2025-03-22 10:52:51 +03:00
vfio vfio/migration: Report only stop-copy size in vfio_state_pending_exact() 2024-11-10 11:09:43 +03:00
virtio vdpa: Fix endian bugs in shadow virtqueue 2025-03-22 10:52:51 +03:00
watchdog hw/watchdog/wdt_aspeed: Remove unused 'hw/misc/aspeed_scu.h' header 2023-11-15 11:09:17 +03:00
xen xen: Drop out of coroutine context xen_invalidate_map_cache_entry 2024-03-13 20:15:59 +03:00
xenpv hw/xen: update Xen PV NIC to XenDevice model 2023-11-07 08:54:20 +00:00
xtensa trivial: Simplify the spots that use TARGET_BIG_ENDIAN as a numeric value 2023-09-08 13:08:52 +03:00
Kconfig hw/ufs: Initial commit for emulated Universal-Flash-Storage 2023-09-07 14:01:29 -04:00
meson.build hw/ufs: Initial commit for emulated Universal-Flash-Storage 2023-09-07 14:01:29 -04:00