From d4c6c60993ac90fb72cb7abbba7ed5dc00dc893e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= Date: Mon, 26 Jan 2026 15:18:20 +0100 Subject: [PATCH] hw/adc: Fix out-of-bounds write in Aspeed ADC model MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 'regs' array has ASPEED_ADC_NR_REGS (52) elements, while the memory region covers offsets 0x00-0xFC. The aspeed_adc_engine_write() function has an out-of-bounds write vulnerability when accessing unimplemented registers. Fix this by using 'return' instead of 'break' in the default case, which prevents execution from reaching the s->regs[reg] assignment for unimplemented registers. Reported-by: Elhrj Saad Fixes: 5857974d5d11 ("hw/adc: Add basic Aspeed ADC model") Reviewed-by: Philippe Mathieu-Daudé Link: https://lore.kernel.org/qemu-devel/20260126141820.719492-1-clg@redhat.com Signed-off-by: Cédric Le Goater (cherry picked from commit 4c6521296d2b6820ab1f8c59d3a80cd0c138b2d8) Signed-off-by: Michael Tokarev --- hw/adc/aspeed_adc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/adc/aspeed_adc.c b/hw/adc/aspeed_adc.c index 3e820cae1e..5f2b8566f5 100644 --- a/hw/adc/aspeed_adc.c +++ b/hw/adc/aspeed_adc.c @@ -228,7 +228,8 @@ static void aspeed_adc_engine_write(void *opaque, hwaddr addr, uint64_t value, qemu_log_mask(LOG_UNIMP, "%s: engine[%u]: " "0x%" HWADDR_PRIx " 0x%" PRIx64 "\n", __func__, s->engine_id, addr, value); - break; + /* Do not update the regs[] array */ + return; } s->regs[reg] = value;