1. Patchew
  2. QEMU
  3. [PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input.
  4. View patch

[PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records()

Jonathan Cameron via posted 10 patches 3 weeks, 1 day ago
[PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records()
Posted by Jonathan Cameron via 3 weeks, 1 day ago 
Buggy software might write a message that is too short for
either the header, or the header + the event data that is specified
in the header.  This may result in accesses beyond the range of the
message allocated as a duplicate of the incoming message buffer.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index e63140aefe..3cb499a24f 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -266,6 +266,12 @@ static CXLRetCode cmd_events_clear_records(const struct cxl_cmd *cmd,
     CXLClearEventPayload *pl;
 
     pl = (CXLClearEventPayload *)payload_in;
+
+    if (len_in < sizeof(*pl) ||
+        len_in < sizeof(*pl) + sizeof(*pl->handle) * pl->nr_recs) {
+        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
+    }
+
     *len_out = 0;
     return cxl_event_clear_records(cxlds, pl);
 }
-- 
2.43.0
Re: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records()
Posted by Fan Ni 2 weeks, 3 days ago 
On Fri, Nov 01, 2024 at 01:39:10PM +0000, Jonathan Cameron wrote:
> Buggy software might write a message that is too short for
> either the header, or the header + the event data that is specified
> in the header.  This may result in accesses beyond the range of the
> message allocated as a duplicate of the incoming message buffer.
> 
> Reported-by: Esifiel <esifiel@gmail.com>
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---

Reviewed-by: Fan Ni <fan.ni@samsung.com>

>  hw/cxl/cxl-mailbox-utils.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> index e63140aefe..3cb499a24f 100644
> --- a/hw/cxl/cxl-mailbox-utils.c
> +++ b/hw/cxl/cxl-mailbox-utils.c
> @@ -266,6 +266,12 @@ static CXLRetCode cmd_events_clear_records(const struct cxl_cmd *cmd,
>      CXLClearEventPayload *pl;
>  
>      pl = (CXLClearEventPayload *)payload_in;
> +
> +    if (len_in < sizeof(*pl) ||
> +        len_in < sizeof(*pl) + sizeof(*pl->handle) * pl->nr_recs) {
> +        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> +    }
> +
>      *len_out = 0;
>      return cxl_event_clear_records(cxlds, pl);
>  }
> -- 
> 2.43.0
> 

-- 
Fan Ni

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.