qemu/hw-nvram-at24-return-0xff-if-1-byte-addr.patch

54 lines
1.7 KiB
Diff
Raw Normal View History

From: Patrick Venture <venture@google.com>
Date: Mon, 20 Dec 2021 13:21:37 -0800
Subject: hw/nvram: at24 return 0xff if 1 byte address
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 1cbab82e9d1bdb2c7b9ef46a396fdc03ea3fa04c
References: bsc#1193880 CVE-2021-3929
The at24 eeproms are 2 byte devices that return 0xff when they are read
from with a partial (1-byte) address written. This distinction was
found comparing model behavior to real hardware testing.
Tested: `i2ctransfer -f -y 45 w1@85 0 r1` returns 0xff instead of next
byte
Signed-off-by: Patrick Venture <venture@google.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20211220212137.1244511-1-venture@google.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Li Zhang <lizhang@suse.de>
---
hw/nvram/eeprom_at24c.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/nvram/eeprom_at24c.c b/hw/nvram/eeprom_at24c.c
index af6f5dbb998475871b4defb59c47..b956b8e2b2d9d74a1bc61bc16eb9 100644
--- a/hw/nvram/eeprom_at24c.c
+++ b/hw/nvram/eeprom_at24c.c
@@ -58,9 +58,10 @@ int at24c_eeprom_event(I2CSlave *s, enum i2c_event event)
switch (event) {
case I2C_START_SEND:
- case I2C_START_RECV:
case I2C_FINISH:
ee->haveaddr = 0;
+ /* fallthrough */
+ case I2C_START_RECV:
DPRINTK("clear\n");
if (ee->blk && ee->changed) {
int len = blk_pwrite(ee->blk, 0, ee->mem, ee->rsize, 0);
@@ -84,6 +85,10 @@ uint8_t at24c_eeprom_recv(I2CSlave *s)
EEPROMState *ee = AT24C_EE(s);
uint8_t ret;
+ if (ee->haveaddr == 1) {
+ return 0xff;
+ }
+
ret = ee->mem[ee->cur];
ee->cur = (ee->cur + 1u) % ee->rsize;