From: Cédric Le Goater <[email protected]> In accumulate mode, total_req_len is incremented with plen (hwaddr) for each hash request. Repeated additions can overflow total_req_len (uint32_t) and potentially bypass validation checks in has_padding().
Add a helper function to detect overflow before incrementing total_req_len and reject the request if overflow would occur. Reported-by: Katherine Leaver <[email protected]> Cc: [email protected] Fixes: 5cd7d8564a8b ("aspeed/hace: Support AST2600 HACE") Link: https://lore.kernel.org/qemu-devel/[email protected] Signed-off-by: Cédric Le Goater <[email protected]> (cherry picked from commit c6aa2d0ac161f2a58a8fbab9a15e846278661158) (Mjt: fixup for 10.0 due to missing v10.0.0-1171-g7328c48b57c9 "hw/misc/aspeed_hace: Extract direct mode hash buffer setup into helper function") Reviewed-by: Cédric Le Goater <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> diff --git a/hw/misc/aspeed_hace.c b/hw/misc/aspeed_hace.c index 212703cbe4..d1b9dd4c3a 100644 --- a/hw/misc/aspeed_hace.c +++ b/hw/misc/aspeed_hace.c @@ -169,6 +169,19 @@ static int reconstruct_iov(AspeedHACEState *s, struct iovec *iov, int id, return iov_count; } +static bool hash_accumulate_len(AspeedHACEState *s, hwaddr plen) +{ + if (plen > UINT32_MAX - s->total_req_len) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: total_req_len overflow, current=0x%x, adding=0x%" + HWADDR_PRIx "\n", __func__, s->total_req_len, plen); + return false; + } + + s->total_req_len += plen; + return true; +} + static void do_hash_operation(AspeedHACEState *s, int algo, bool sg_mode, bool acc_mode) { @@ -224,7 +237,9 @@ static void do_hash_operation(AspeedHACEState *s, int algo, bool sg_mode, } iov[i].iov_base = haddr; if (acc_mode) { - s->total_req_len += plen; + if (!hash_accumulate_len(s, plen)) { + return; + } if (has_padding(s, &iov[i], plen, &total_msg_len, &pad_offset)) { -- 2.47.3
