On 05.05.2026 00:34, Cédric Le Goater wrote:
In accumulate mode, total_req_len is incremented with plen (hwaddr)
for each hash request. Repeated additions can overflow total_req_len
(uint32_t) and potentially bypass validation checks in has_padding().
Add a helper function to detect overflow before incrementing
total_req_len and reject the request if overflow would occur.
Reported-by: Katherine Leaver <[email protected]>
Cc: [email protected]
Fixes: 5cd7d8564a8b ("aspeed/hace: Support AST2600 HACE")
Signed-off-by: Cédric Le Goater <[email protected]>
This change does not apply to 10.0.x qemu-stable series, because,
at least, it lacks v10.0.0-1171-g7328c48b57c9 "hw/misc/aspeed_hace:
Extract direct mode hash buffer setup into helper function".
This code in 10.0.x is slightly different, namely, there's no
error return from the function in question. Please take a look
at
https://gitlab.com/mjt0k/qemu/-/commits/4a82112f40351e94f1b3af938782298abda1c810
which is my attempt to fix this code for 10.0.x (not even compile-
tested yet).
Thanks,
/mjt
