Re: [PATCH] hw/adc: Fix out-of-bounds write in Aspeed ADC model

Thu, 05 Feb 2026 13:02:37 -0800 

On 1/26/26 17:18, Cédric Le Goater wrote:

The 'regs' array has ASPEED_ADC_NR_REGS (52) elements, while the
memory region covers offsets 0x00-0xFC. The aspeed_adc_engine_write()
function has an out-of-bounds write vulnerability when accessing
unimplemented registers.

Fix this by using 'return' instead of 'break' in the default case,
which prevents execution from reaching the s->regs[reg] assignment for
unimplemented registers.

Reported-by: Elhrj Saad <[email protected]>
Fixes: 5857974d5d11 ("hw/adc: Add basic Aspeed ADC model")
Signed-off-by: Cédric Le Goater <[email protected]>
---
  hw/adc/aspeed_adc.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)


This feels like a qemu-stable material.

Please let me know if it isn't.

Thanks,

/mjt


diff --git a/hw/adc/aspeed_adc.c b/hw/adc/aspeed_adc.c
index fd3af308296e..3cc75bbcd6e2 100644
--- a/hw/adc/aspeed_adc.c
+++ b/hw/adc/aspeed_adc.c
@@ -228,7 +228,8 @@ static void aspeed_adc_engine_write(void *opaque, hwaddr 
addr, uint64_t value,
          qemu_log_mask(LOG_UNIMP, "%s: engine[%u]: "
                        "0x%" HWADDR_PRIx " 0x%" PRIx64 "\n",
                        __func__, s->engine_id, addr, value);
-        break;
+        /* Do not update the regs[] array */
+        return;
      }
s->regs[reg] = value;

Reply via email to