hw/sd/sdcard: Avoid confusing address calculation in rpmb_calc_hmac

From the source frame, we initially need to copy out all fields after
data, thus starting from nonce on. Avoid expressing this indirectly by
pointing to the end of the data field - which also raised the attention
of Coverity (out-of-bound read /wrt data).

Resolves: CID 1642869
Reported-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <4f7e1952-ecbd-4484-b128-9d02de3a7935@siemens.com>
[PMD: Add comment before the memcpy() call]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index df5a36fad9debf707cfc19c1a6062be7aaf8d900..40a75a43ffb8c2a19dcf411c12f58273d407e197 100644 (file)
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1160,8 +1160,13 @@ static bool rpmb_calc_hmac(SDState *sd, const RPMBDataFrame *frame,
 
         assert(RPMB_HASH_LEN <= sizeof(sd->data));
 
-        memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN],
+        /*
+         * We will hash everything from data field to the end of RPMBDataFrame.
+         */
+        memcpy((uint8_t *)buf + RPMB_DATA_LEN,
+               (uint8_t *)frame + offsetof(RPMBDataFrame, nonce),
                RPMB_HASH_LEN - RPMB_DATA_LEN);
+
         offset = lduw_be_p(&frame->address) * RPMB_DATA_LEN + sd_part_offset(sd);
         do {
             if (blk_pread(sd->blk, offset, RPMB_DATA_LEN, buf, 0) < 0) {