From: Patrick Venture Date: Mon, 20 Dec 2021 13:21:37 -0800 Subject: hw/nvram: at24 return 0xff if 1 byte address MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 1cbab82e9d1bdb2c7b9ef46a396fdc03ea3fa04c References: bsc#1193880 CVE-2021-3929 The at24 eeproms are 2 byte devices that return 0xff when they are read from with a partial (1-byte) address written. This distinction was found comparing model behavior to real hardware testing. Tested: `i2ctransfer -f -y 45 w1@85 0 r1` returns 0xff instead of next byte Signed-off-by: Patrick Venture Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20211220212137.1244511-1-venture@google.com> Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Li Zhang --- hw/nvram/eeprom_at24c.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/nvram/eeprom_at24c.c b/hw/nvram/eeprom_at24c.c index af6f5dbb998475871b4defb59c47..b956b8e2b2d9d74a1bc61bc16eb9 100644 --- a/hw/nvram/eeprom_at24c.c +++ b/hw/nvram/eeprom_at24c.c @@ -58,9 +58,10 @@ int at24c_eeprom_event(I2CSlave *s, enum i2c_event event) switch (event) { case I2C_START_SEND: - case I2C_START_RECV: case I2C_FINISH: ee->haveaddr = 0; + /* fallthrough */ + case I2C_START_RECV: DPRINTK("clear\n"); if (ee->blk && ee->changed) { int len = blk_pwrite(ee->blk, 0, ee->mem, ee->rsize, 0); @@ -84,6 +85,10 @@ uint8_t at24c_eeprom_recv(I2CSlave *s) EEPROMState *ee = AT24C_EE(s); uint8_t ret; + if (ee->haveaddr == 1) { + return 0xff; + } + ret = ee->mem[ee->cur]; ee->cur = (ee->cur + 1u) % ee->rsize;