hw/sd/sdcard: Avoid confusing address calculation in rpmb_calc_hmac
From the source frame, we initially need to copy out all fields after data, thus starting from nonce on. Avoid expressing this indirectly by pointing to the end of the data field - which also raised the attention of Coverity (out-of-bound read /wrt data). Resolves: CID 1642869 Reported-by: GuoHan Zhao <zhaoguohan@kylinos.cn> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <4f7e1952-ecbd-4484-b128-9d02de3a7935@siemens.com> [PMD: Add comment before the memcpy() call] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
This commit is contained in:
Jan Kiszka
Philippe Mathieu-Daudé
parent
f20a824902
commit
99282a805c
1 changed files with 6 additions and 1 deletions
|
|
@ -1160,8 +1160,13 @@ static bool rpmb_calc_hmac(SDState *sd, const RPMBDataFrame *frame,
|
|||
|
||||
assert(RPMB_HASH_LEN <= sizeof(sd->data));
|
||||
|
||||
memcpy((uint8_t *)buf + RPMB_DATA_LEN, &frame->data[RPMB_DATA_LEN],
|
||||
/*
|
||||
* We will hash everything from data field to the end of RPMBDataFrame.
|
||||
*/
|
||||
memcpy((uint8_t *)buf + RPMB_DATA_LEN,
|
||||
(uint8_t *)frame + offsetof(RPMBDataFrame, nonce),
|
||||
RPMB_HASH_LEN - RPMB_DATA_LEN);
|
||||
|
||||
offset = lduw_be_p(&frame->address) * RPMB_DATA_LEN + sd_part_offset(sd);
|
||||
do {
|
||||
if (blk_pread(sd->blk, offset, RPMB_DATA_LEN, buf, 0) < 0) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue