On 5/14/26 20:48, Michael Tokarev wrote:
On 28.04.2026 08:52, Kane Chen wrote:
There is a mismatch between the Aspeed OTP model and the Aspeed SBC
model in how the guest-provided address is handled.
aspeed_sbc_otp_prog() passes a word-indexed address directly
to address_space_write() without converting it to a byte offset,
whereas aspeed_otp_write() expects a byte offset and applies an
additional shift (otp_addr << 2). This double-shift confusion means
that an out-of-range word address can lead to a write beyond the
allocated storage.
Fix this by adding bounds checking on the word offset before
converting to byte offset and passing to address_space_write().
This matches the existing bounds check in aspeed_sbc_otp_read().
Cc: Kane-Chen-AS <[email protected]>
Cc: [email protected]
Fixes: 1a00754ccf15 ("hw/misc: Add Aspeed Secure Boot Controller model")
FWIW (this change has already landed in the master branch, so it's cast
in stone), I can't find this commit in my git clone of qemu repository.
Neither hash ID nor the name.
My bad :/ I should improve my flow to check for bogus commit ids.
Is it this one maybe? https://marc.info/?l=qemu-arm&m=164500409921734,
which is commit e1acf581c9 in qemu? It has a different commit message
though.
It should be :
Fixes: 9f58dd0a8c30 ("hw/misc/aspeed_sbc: Connect ASPEED OTP memory device to
SBC")
And this patch does not apply to 10.0.x, - in there, there's no
hw/nvram/aspeed_otp.c (688a3dae78 hw/nvram/aspeed_otp: Add ASPEED OTP
memory device model). I assume it's not needed for 10.0.x, but in
that case, the Fixes: tag isn't even commit e1acf581c9.
It should apply on stable-10.2
Thanks,
C.
