From 99282a805cea60a1b81223b1ed4fe42ea4b16189 Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Fri, 14 Nov 2025 22:27:35 +0100 Subject: [PATCH] hw/sd/sdcard: Avoid confusing address calculation in rpmb_calc_hmac MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit From the source frame, we initially need to copy out all fields after data, thus starting from nonce on. Avoid expressing this indirectly by pointing to the end of the data field - which also raised the attention of Coverity (out-of-bound read /wrt data). Resolves: CID 1642869 Reported-by: GuoHan Zhao Signed-off-by: Jan Kiszka Reviewed-by: Philippe Mathieu-Daudé Message-ID: <4f7e1952-ecbd-4484-b128-9d02de3a7935@siemens.com> [PMD: Add comment before the memcpy() call] Signed-off-by: Philippe Mathieu-Daudé --- hw/sd/sd.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index df5a36fad9..40a75a43ff 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -1160,8 +1160,13 @@ static bool rpmb_calc_hmac(SDState *sd, const RPMBDataFrame *frame, assert(RPMB_HASH_LEN <= sizeof(sd->data)); - memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN], + /* + * We will hash everything from data field to the end of RPMBDataFrame. + */ + memcpy((uint8_t *)buf + RPMB_DATA_LEN, + (uint8_t *)frame + offsetof(RPMBDataFrame, nonce), RPMB_HASH_LEN - RPMB_DATA_LEN); + offset = lduw_be_p(&frame->address) * RPMB_DATA_LEN + sd_part_offset(sd); do { if (blk_pread(sd->blk, offset, RPMB_DATA_LEN, buf, 0) < 0) { -- 2.47.3