1. Patchew
  2. QEMU
  3. View series

[PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input.

Jonathan Cameron via posted 10 patches 3 weeks, 1 day ago 
hw/cxl/cxl-mailbox-utils.c | 73 ++++++++++++++++++++++++++++++++------
1 file changed, 62 insertions(+), 11 deletions(-)
[PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input.
Posted by Jonathan Cameron via 3 weeks, 1 day ago 
The CXL device mailbox has some variable sized input commands. The payload
length for each must be established using command especific structures.

If user space is either buggy or malicious, it may use size fields to
indicate fields beyond the end of the payload sent.  Some checks on this
were missing and Esifiel picked up on this.  I've tagged all these fixes
with Esifiel's Reported-by as either they were in the report or are similar
issues in other commands.

These can mostly be easily tested by using the raw mailbox commands option
in Linux and injecting broken commands from user space.

A typical command needs to first check that there is enough data to get to
the command specific sizing fields, then check the reported size is less
than or equal to the available payload.

Note that I think it very unlikely anyone is currently using CXL emulation
with a VM that they do not trust, but that may happen in future so good to
fix these paths now.

Jonathan Cameron (10):
  hw/cxl: Check size of input data to dynamic capacity mailbox commands
  hw/cxl: Check input includes at least the header in
    cmd_features_set_feature()
  hw/cxl: Check input length is large enough in
    cmd_events_clear_records()
  hw/cxl: Check enough data in cmd_firmware_update_transfer()
  hw/cxl: Check the length of data requested fits in get_log()
  hw/cxl: Avoid accesses beyond the end of cel_log.
  hw/cxl: Ensuring enough data to read parameters in
    cmd_tunnel_management_cmd()
  hw/cxl: Check that writes do not go beyond end of target attributes
  hw/cxl: Ensure there is enough data for the header in
    cmd_ccls_set_lsa()
  hw/cxl: Ensure there is enough data to read the input header in
    cmd_get_physical_port_state()

 hw/cxl/cxl-mailbox-utils.c | 73 ++++++++++++++++++++++++++++++++------
 1 file changed, 62 insertions(+), 11 deletions(-)

-- 
2.43.0
Re: [PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input.
Posted by Jonathan Cameron via 3 weeks, 1 day ago 
On Fri, 1 Nov 2024 13:39:07 +0000
Jonathan Cameron <Jonathan.Cameron@huawei.com> wrote:

> The CXL device mailbox has some variable sized input commands. The payload
> length for each must be established using command especific structures.
> 
> If user space is either buggy or malicious, it may use size fields to
> indicate fields beyond the end of the payload sent.  Some checks on this
> were missing and Esifiel picked up on this.  I've tagged all these fixes
> with Esifiel's Reported-by as either they were in the report or are similar
> issues in other commands.
> 
> These can mostly be easily tested by using the raw mailbox commands option
> in Linux and injecting broken commands from user space.
> 
> A typical command needs to first check that there is enough data to get to
> the command specific sizing fields, then check the reported size is less
> than or equal to the available payload.
> 
> Note that I think it very unlikely anyone is currently using CXL emulation
> with a VM that they do not trust, but that may happen in future so good to
> fix these paths now.

Sorry, forgot to list dependencies.

Based-on: [PATCH 0/7] hw/cxl: Round up of fixes.
Based-on: [PATCH qemu 0/2] hw/cxl: Misc fixes

Based-on: Message-id: 20241014121902.2146424-1-Jonathan.Cameron@huawei.com
Based-on; message-id: 20241101132005.26633-1-Jonathan.Cameron@huawei.com


> 
> Jonathan Cameron (10):
>   hw/cxl: Check size of input data to dynamic capacity mailbox commands
>   hw/cxl: Check input includes at least the header in
>     cmd_features_set_feature()
>   hw/cxl: Check input length is large enough in
>     cmd_events_clear_records()
>   hw/cxl: Check enough data in cmd_firmware_update_transfer()
>   hw/cxl: Check the length of data requested fits in get_log()
>   hw/cxl: Avoid accesses beyond the end of cel_log.
>   hw/cxl: Ensuring enough data to read parameters in
>     cmd_tunnel_management_cmd()
>   hw/cxl: Check that writes do not go beyond end of target attributes
>   hw/cxl: Ensure there is enough data for the header in
>     cmd_ccls_set_lsa()
>   hw/cxl: Ensure there is enough data to read the input header in
>     cmd_get_physical_port_state()
> 
>  hw/cxl/cxl-mailbox-utils.c | 73 ++++++++++++++++++++++++++++++++------
>  1 file changed, 62 insertions(+), 11 deletions(-)
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.