From nobody Sat Nov 23 20:34:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730468428; cv=none; d=zohomail.com; s=zohoarc; b=lrAX5e8/f6HlLhHHYuMvE3heB0sNz1e+5NrSKk4GsMF7WOMAzV1AEftdHVj7dMQfVJqfWAfAUZ1rIjrvFTBVBlj3gFbzzxQXo06/aeItTNL9ygFZ4safql26Dd1mzAN1n6P9fwdQDD7SBv355DaXyMqM6zOUCZ3cA151fAxIqQ4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730468428; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=osDTK1NyPNEWUGEGGi3URSRq1ogie3ee9k7yor8r9no=; b=S5TsqUMdCBUUVT2A6iLoVOip/cTzOFT5z/RQ5e1zoP2ke3wQuw5aZdzQKyxhBi91KR4alVjZj/zPGaQ2dF7dIBzWlO7pKd8eNFv6KucbDL62WB07kuM4Xie2lqvOCOqddpH0SewnWIerEPwrJUI+GOWrj650BhHOKekyd4WZObI= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730468428700234.37595250036304; Fri, 1 Nov 2024 06:40:28 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6rsa-00032F-5Q; Fri, 01 Nov 2024 09:39:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rsY-00031w-L2 for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:39:54 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rsW-0000wB-LT for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:39:54 -0400 Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg23L2VXPz6K6Qk; Fri, 1 Nov 2024 21:37:18 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id DE5A6140A36; Fri, 1 Nov 2024 21:39:49 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:39:49 +0100 To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands Date: Fri, 1 Nov 2024 13:39:08 +0000 Message-ID: <20241101133917.27634-2-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.19.247] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730468429249116600 Content-Type: text/plain; charset="utf-8" cxl_cmd_dcd_release_dyn_cap() and cmd_dcd_add_dyn_cap_rsp() are missing input message size checks. These must be done in the individual commands when the command has a variable length input payload. A buggy or malicious guest might send undersized messages via the mailbox. As that size is used to take a copy of the mailbox content, each command must check there is sufficient data. In this case the first check is that there is enough data to read how many extents there are, and the second that there is enough for those elements to be accessed. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 97cb8bbcec..17924410dd 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -2465,11 +2465,20 @@ static CXLRetCode cmd_dcd_add_dyn_cap_rsp(const str= uct cxl_cmd *cmd, uint64_t dpa, len; CXLRetCode ret; =20 + if (len_in < sizeof(*in)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + if (in->num_entries_updated =3D=3D 0) { cxl_extent_group_list_delete_front(&ct3d->dc.extents_pending); return CXL_MBOX_SUCCESS; } =20 + if (len_in < + sizeof(*in) + sizeof(*in->updated_entries) * in->num_entries_updat= ed) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + /* Adding extents causes exceeding device's extent tracking ability. */ if (in->num_entries_updated + ct3d->dc.total_extent_count > CXL_NUM_EXTENTS_SUPPORTED) { @@ -2624,10 +2633,19 @@ static CXLRetCode cmd_dcd_release_dyn_cap(const str= uct cxl_cmd *cmd, uint32_t updated_list_size; CXLRetCode ret; =20 + if (len_in < sizeof(*in)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + if (in->num_entries_updated =3D=3D 0) { return CXL_MBOX_INVALID_INPUT; } =20 + if (len_in < + sizeof(*in) + sizeof(*in->updated_entries) * in->num_entries_updat= ed) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + ret =3D cxl_detect_malformed_extent_list(ct3d, in); if (ret !=3D CXL_MBOX_SUCCESS) { return ret; --=20 2.43.0 From nobody Sat Nov 23 20:34:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730468468; cv=none; d=zohomail.com; s=zohoarc; b=NjXkhLzQwTVmdIXCyqC3o9vZmbOoNMVD0J/NW1ViY0Crq0V73pYGx+CZk1R0/VzmKTAm5q6Y2t0MY+GZCnhpInKlxeZuWdDfmh5yCBBbuHihq1wK+ZoSoK5UGR1H1OPTB9YnuL0aSIoiZQ6OCFor6pE65cWIyC8WqSAW7XY79mE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730468468; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=l6Vui2RRkO6Kw8Tml1spMMJBBHYHLba2ABpjPBe5yoE=; b=aVlI3F5lRpGPvisuNwgdCWSHarxJ6xo79Sa1TbU2Cvvi1jTwtauTw1UHgDnqwJQ01QnULOu5wtjR+L+4j38L+W8HHt+ZT2u+Ji3LWAh1JVxUH+k5U0y8mb1Gox8sVaEi3CT2ila8so2E6krwe30lqfaAOhQMmzjXIi4Q0Zb4eF8= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730468468548135.3584074325753; Fri, 1 Nov 2024 06:41:08 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6rtN-0003Yd-8v; Fri, 01 Nov 2024 09:40:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rt4-0003Qt-Om for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:40:28 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rt1-0001Am-Pk for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:40:26 -0400 Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg25D69gwz6JB7S; Fri, 1 Nov 2024 21:38:56 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id C30AE140A9C; Fri, 1 Nov 2024 21:40:20 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:40:20 +0100 To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature() Date: Fri, 1 Nov 2024 13:39:09 +0000 Message-ID: <20241101133917.27634-3-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.19.247] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730468470046116600 Content-Type: text/plain; charset="utf-8" A buggy guest might write an insufficiently large message. Check the header is present. Whilst zero data after the header is very odd it will just result in failure to copy any data. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 17924410dd..e63140aefe 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1238,6 +1238,9 @@ static CXLRetCode cmd_features_set_feature(const stru= ct cxl_cmd *cmd, CXLType3Dev *ct3d; uint16_t count; =20 + if (len_in < sizeof(*hdr)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } =20 if (!object_dynamic_cast(OBJECT(cci->d), TYPE_CXL_TYPE3)) { return CXL_MBOX_UNSUPPORTED; --=20 2.43.0 From nobody Sat Nov 23 20:34:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730468478; cv=none; d=zohomail.com; s=zohoarc; b=RHywfxSHZEQK/nfMBPuEsaEB238fKT62pU1EOw6g3mW/dntOThR+mLKH8l85Tyisc52MgPPusTa5yBPR+JeCGxpbai43xvknOuzvhiRADSGMg87+ecK1RFv6o0bkXAUTvLOOCLeXpBQxn2DCo1JhV4LLp1w5twJ1J3xskqaaQLw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730468478; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=h1BHaeZC6XCNUF/Tyy+W7OyvkTuWN2FfAuIFtqRHYcs=; b=I3sO8UTksa9MbPAsve4g1oYTCNH5GdyefaG4ksYESkE5pP2oLYpJRHnrNp/Oy0dWjDuAXBhv3v32ksLMJK9PGCEoTLnwxOlHtzTsYmfL5LeyLIZ6NWkb0LXnwOlujDYSPjaA+eezTRJAtmDN7IbfrdwThsa/2ZSlijadC8Tg0xo= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730468478440593.9382666996141; Fri, 1 Nov 2024 06:41:18 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6rtk-00042A-5O; Fri, 01 Nov 2024 09:41:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rta-0003kB-3Y for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:40:59 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rtY-0001De-Hx for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:40:57 -0400 Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg24X1TS2z6K6j8; Fri, 1 Nov 2024 21:38:20 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id BC873140445; Fri, 1 Nov 2024 21:40:51 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:40:51 +0100 To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records() Date: Fri, 1 Nov 2024 13:39:10 +0000 Message-ID: <20241101133917.27634-4-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.19.247] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730468479248116600 Content-Type: text/plain; charset="utf-8" Buggy software might write a message that is too short for either the header, or the header + the event data that is specified in the header. This may result in accesses beyond the range of the message allocated as a duplicate of the incoming message buffer. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index e63140aefe..3cb499a24f 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -266,6 +266,12 @@ static CXLRetCode cmd_events_clear_records(const struc= t cxl_cmd *cmd, CXLClearEventPayload *pl; =20 pl =3D (CXLClearEventPayload *)payload_in; + + if (len_in < sizeof(*pl) || + len_in < sizeof(*pl) + sizeof(*pl->handle) * pl->nr_recs) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + *len_out =3D 0; return cxl_event_clear_records(cxlds, pl); } --=20 2.43.0 From nobody Sat Nov 23 20:34:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730468520; cv=none; d=zohomail.com; s=zohoarc; b=ReNdUmuHStXZqL1lqE2wbY0cXP+rDRGk9hjwnFF/NUX/yRq1/U3hP9m3m+703MsarogMlU5jRGtja9Ic4LQTIAE54LOOHt2MYuYXVZb3YxcjdXOSLJvtOLoNolJu/NixXPP9cVpec0yis4Utyf0ekG8qlK21kAeY3AxRY/1jVgw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730468520; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=qh35ujhVqz+XM5g/9j6Shxrqenlez5ArtVaUo0Mb30c=; b=XXC7Z3ZkqjDSiwp18ovZpK4C0v21hNavnpnqyU5r7VY4657yzU+qWSdkVkbghCPB7B9W7eyBQJwLxGrZovTa+axKC1rejt9Xkpod6dUckkFmMAxj6ZhlUZ96a0JGDg310bvsvvTUN3FlJuARR7dc7oK6Sodrl3Mcy4hTRRQ73L0= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730468519954313.8753793597298; Fri, 1 Nov 2024 06:41:59 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6ruR-0004oc-1C; Fri, 01 Nov 2024 09:41:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6ru2-0004c3-5r for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:41:26 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6ru0-0001Fd-Qo for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:41:25 -0400 Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg2570j4Zz6K6W4; Fri, 1 Nov 2024 21:38:51 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id A19A4140A9C; Fri, 1 Nov 2024 21:41:22 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:41:22 +0100 To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer() Date: Fri, 1 Nov 2024 13:39:11 +0000 Message-ID: <20241101133917.27634-5-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.19.247] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730468521482116600 Content-Type: text/plain; charset="utf-8" Buggy guest can write a message that advertises more data that is provided. As QEMU internally duplicates the reported message size, this may result in an out of bounds access. Add sanity checks on the size to avoid this. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 3cb499a24f..27fadc4fa8 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -705,6 +705,10 @@ static CXLRetCode cmd_firmware_update_transfer(const s= truct cxl_cmd *cmd, } QEMU_PACKED *fw_transfer =3D (void *)payload_in; size_t offset, length; =20 + if (len < sizeof(*fw_transfer)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + if (fw_transfer->action =3D=3D CXL_FW_XFER_ACTION_ABORT) { /* * At this point there aren't any on-going transfers --=20 2.43.0 From nobody Sat Nov 23 20:34:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730468534; cv=none; d=zohomail.com; s=zohoarc; b=R1PyI1U0Sx4Ka38FkN3NuF6t/nEdi5ESHjywiboqACA6XE2qcYfbIWPqbvx1bqPh7UMRqtdbb0ez/DAfSZkDP3pCGmEZ+4RPfrd8q0VoXV/4A2R/73hF3MiT9zwkWG44xR/97GHZ2JkRkz3v0zJ0IkgCstgeYuwcuVWPz413Dvo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730468534; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=JyrJfenoJY0EFHYaPFxXuvlJQ+K7Yp/gv6lMi9g74uM=; b=DpUodDdwRVWA4a6jh40exJBtM3nOgz9oyEyqZQa0b4FzKzV3fq2MMi6T0WkxjcCqiR+zZyGjFDgST3O0JDflgxCs2Rv0tRtUVuf90+/lHEfzv4Y+NEBSkFY05QiPx6uMWgCGEnBkGX2y+UyswV1bGbeNhlDcTabkMC1LMcwvP8M= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730468534030505.31278252029745; Fri, 1 Nov 2024 06:42:14 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6ruh-00057h-Of; Fri, 01 Nov 2024 09:42:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6ruW-0004xl-U5 for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:41:57 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6ruV-0001IH-FR for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:41:56 -0400 Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg25j72BYz6K661; Fri, 1 Nov 2024 21:39:21 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id 8696E1404FC; Fri, 1 Nov 2024 21:41:53 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:41:53 +0100 To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log() Date: Fri, 1 Nov 2024 13:39:12 +0000 Message-ID: <20241101133917.27634-6-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.19.247] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730468535504116600 Content-Type: text/plain; charset="utf-8" Checking offset + length is of no relevance when verifying the CEL data will fit in the mailbox payload. Only the length is is relevant. Note that this removes a potential overflow. Reported-by: Esifiel Signed-off-by: Jonathan Cameron --- hw/cxl/cxl-mailbox-utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 27fadc4fa8..2aa7ffed84 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -947,7 +947,7 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd= *cmd, * the only possible failure would be if the mailbox itself isn't big * enough. */ - if (get_log->offset + get_log->length > cci->payload_max) { + if (get_log->length > cci->payload_max) { return CXL_MBOX_INVALID_INPUT; } =20 --=20 2.43.0 From nobody Sat Nov 23 20:34:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730468558; cv=none; d=zohomail.com; s=zohoarc; b=QJuB7Z/SBf+UiOKG2Ik8oojNL/UY1D37jFzTlfH+symJJbOmrYlBAIJXQqqYRFIBZPb1I8sr+bVARGHPua/8FzPKRrbvXD7iCDbc1Z3QzlNACHc5e3PQIE+WZ80MlnwIcZG+86bhCli5HZUuyO6WSmE4HLBQGDJH+LbO7GbHeBo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730468558; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=rv7oafliWqcKg1A16c5/eZxdUrKt+870UCD6+EgVehA=; b=Pic9wH551WgxmCbPUjMpSFZfriiSDzU6U7lSzVczdRI616Y3LAofkGEBq8AngaHzOJCP+W2rNsnpDiPApUBZy48hKV6KuWTYNNXMg5FErzJgVDDal7Z9tkXOYe5TlUEXwXIpzjWbtp/Ssi4p8Bmj5TFpARS8HzHqfM/srKjHpbE= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730468558175749.8391125021407; Fri, 1 Nov 2024 06:42:38 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6rv7-000667-VO; Fri, 01 Nov 2024 09:42:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rv1-0005q8-Il for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:42:28 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rv0-0001K5-45 for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:42:27 -0400 Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg26K0qkxz6K6jx; Fri, 1 Nov 2024 21:39:53 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id A67E1140C72; Fri, 1 Nov 2024 21:42:24 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:42:24 +0100 To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log. Date: Fri, 1 Nov 2024 13:39:13 +0000 Message-ID: <20241101133917.27634-7-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.19.247] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730468559678116600 Content-Type: text/plain; charset="utf-8" Add a check that the requested offset + length does not go beyond the end of the cel_log. Whilst the cci->cel_log is large enough to include all possible CEL entries, the guest might still ask for entries beyond the end of it. Move the comment to this new check rather than before the check on the type of log requested. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 2aa7ffed84..5e571955b6 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -937,24 +937,28 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_c= md *cmd, =20 get_log =3D (void *)payload_in; =20 + if (get_log->length > cci->payload_max) { + return CXL_MBOX_INVALID_INPUT; + } + + if (!qemu_uuid_is_equal(&get_log->uuid, &cel_uuid)) { + return CXL_MBOX_INVALID_LOG; + } + /* * CXL r3.1 Section 8.2.9.5.2: Get Log (Opcode 0401h) * The device shall return Invalid Input if the Offset or Length * fields attempt to access beyond the size of the log as reported b= y Get - * Supported Logs. + * Supported Log. * - * The CEL buffer is large enough to fit all commands in the emulation= , so - * the only possible failure would be if the mailbox itself isn't big - * enough. + * Only valid for there to be one entry per opcode, but the length + o= ffset + * may still be greater than that if the inputs are not valid and so a= ccess + * beyond the end of cci->cel_log. */ - if (get_log->length > cci->payload_max) { + if ((uint64_t)get_log->offset + get_log->length >=3D sizeof(cci->cel_l= og)) { return CXL_MBOX_INVALID_INPUT; } =20 - if (!qemu_uuid_is_equal(&get_log->uuid, &cel_uuid)) { - return CXL_MBOX_INVALID_LOG; - } - /* Store off everything to local variables so we can wipe out the payl= oad */ *len_out =3D get_log->length; =20 --=20 2.43.0 From nobody Sat Nov 23 20:34:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730468595; cv=none; d=zohomail.com; s=zohoarc; b=KkCocHjt6othotmyEt+xF1Uba08LQgHk2jkpAhm4HfLsiYQGE/5khJgcRRqTfojmRsnA+aQFen0HsCQUwOtYcAGWMqbjGnF+uErhrDY0qxC7/AMfRY5MzeyfV7QzRvVSlnVuVgbK2/IPz5+WZcAMeoH81HL2Z7h7xOU0Bw9Idqo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730468595; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=IRxOl04aIdmNWPMCXG6qnF84jGQyC4njKfYU1DbpZ2Q=; b=iIqZ3E7EuJs4GccYeW1XFsv9gr7JXIRqeoN/cVpKavjrhEMq07bci0hWFGifkNT0wzV/3g636p3pnqrnV0xSeNSLMuxlXB1u5GQ1qqdfoVuc7wEblYlfdGl63QHI38+OPnQBgUK8kYP51IoC5XJtwQ8SVdbboWa8Elu/svVaQBg= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730468595219387.4087444757902; Fri, 1 Nov 2024 06:43:15 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6rvc-0007st-0C; Fri, 01 Nov 2024 09:43:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rvW-0007qg-Kz for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:42:58 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rvV-0001MI-4x for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:42:58 -0400 Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg2493JS6z6LD4f; Fri, 1 Nov 2024 21:38:01 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id 8DF2B1400D3; Fri, 1 Nov 2024 21:42:55 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:42:55 +0100 To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd() Date: Fri, 1 Nov 2024 13:39:14 +0000 Message-ID: <20241101133917.27634-8-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.19.247] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730468595847116600 Content-Type: text/plain; charset="utf-8" If len_in is less than the minimum spec allowed value, then return CXL_MBOX_INVALID_PAYLOAD_LENGTH Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 5e571955b6..a40d81219c 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -151,6 +151,9 @@ static CXLRetCode cmd_tunnel_management_cmd(const struc= t cxl_cmd *cmd, in =3D (void *)payload_in; out =3D (void *)payload_out; =20 + if (len_in < sizeof(*in)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } /* Enough room for minimum sized message - no payload */ if (in->size < sizeof(in->ccimessage)) { return CXL_MBOX_INVALID_PAYLOAD_LENGTH; --=20 2.43.0 From nobody Sat Nov 23 20:34:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730468620; cv=none; d=zohomail.com; s=zohoarc; b=CIvXUrLWUGeerhHlBulKoaYTbRCBruNQhuBkODl/OT9TQpnyLc5uJX6DnwKgYAn5rSY9fl43/6eYmU5G+cxWRbXoosClnAuXU8LB3b+rN9VMbdICK3TtgiG0FHGCCruZVop6sa+mNltC7Sperq9WSkAxCMqWX0eE23nxoWeKfes= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730468620; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=bnHr4KaJ/qCbi0AYXQbmuXy+DEle8hZedjMaO8dD50s=; b=n0cxpRhcV8nI2OlhSjdS0d/bK2wgLuffwZdwDuSoJBxjedRmg+VxPv9cFLeJ1MrVoQmVjRvTEuX4KsXEld4NqS1EU3uGlPFznu5ol4MWKnyO67QMa6vHdBelBB92GJ1v5SCuzg2gw7tHSjExKqI0ArL2j07BXSh9NNGoN0DN95E= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730468620396468.81466594730796; Fri, 1 Nov 2024 06:43:40 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6rw3-0008KI-OQ; Fri, 01 Nov 2024 09:43:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rw1-0008H2-Kp for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:43:29 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rw0-0001OH-1l for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:43:29 -0400 Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg27V6VWZz6K6l8; Fri, 1 Nov 2024 21:40:54 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id 75F8A1400D3; Fri, 1 Nov 2024 21:43:26 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:43:26 +0100 To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes Date: Fri, 1 Nov 2024 13:39:15 +0000 Message-ID: <20241101133917.27634-9-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.19.247] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730468621946116600 Content-Type: text/plain; charset="utf-8" In cmd_features_set_feature() the an offset + data size schemed is used to allow for large features. Ensure this does not write beyond the end fo the buffers used to accumulate the full feature attribute set. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index a40d81219c..078782e8b9 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1292,6 +1292,11 @@ static CXLRetCode cmd_features_set_feature(const str= uct cxl_cmd *cmd, =20 ps_set_feature =3D (void *)payload_in; ps_write_attrs =3D &ps_set_feature->feat_data; + + if ((uint32_t)hdr->offset + bytes_to_copy > + sizeof(ct3d->patrol_scrub_wr_attrs)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } memcpy((uint8_t *)&ct3d->patrol_scrub_wr_attrs + hdr->offset, ps_write_attrs, bytes_to_copy); @@ -1314,6 +1319,11 @@ static CXLRetCode cmd_features_set_feature(const str= uct cxl_cmd *cmd, =20 ecs_set_feature =3D (void *)payload_in; ecs_write_attrs =3D ecs_set_feature->feat_data; + + if ((uint32_t)hdr->offset + bytes_to_copy > + sizeof(ct3d->ecs_wr_attrs)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } memcpy((uint8_t *)&ct3d->ecs_wr_attrs + hdr->offset, ecs_write_attrs, bytes_to_copy); --=20 2.43.0 From nobody Sat Nov 23 20:34:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730468647; cv=none; d=zohomail.com; s=zohoarc; b=Ghhp0IM68RV+2JAzHa0C0hJ+VKkV1rLP9gSFcgm06UAu7TJLrnEfmGJnqVYBLPqAT0x81qSwuqE2b4nEBKjE5gjsB/gCrkGNx2cOIWRx52trWs8V+lMSdh2ITYWFEl0g2ty+gRqSmNVZzYT6hN7SzOn41mmCRkEW9MSpqAr69mg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730468647; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=8lhrvt/UKwYgLJeqjPv28TXDQ9xBhmHuHAts/Pltu/k=; b=I6DOHW4s3Wg5cP79A/dTp7HEDVgW4ALrNyw8ZoWazuSuPp5DXPT9uS0KsJmB/YTPAazSe4FdBYye5ibs7w+55UYuQ72YmVD4r80ZTygrATTZrokx+levCiCWyl0sNCReZADGC9Wte05woyamrM5xnT4RFFTRybeXgPCOl6hCDyM= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 173046864753424.1995813506702; Fri, 1 Nov 2024 06:44:07 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6rwY-0000aM-5b; Fri, 01 Nov 2024 09:44:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rwW-0000WX-7H for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:44:00 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rwU-0001Py-Od for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:43:59 -0400 Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg25M2BJVz6LD4k; Fri, 1 Nov 2024 21:39:03 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id 67F0E140B73; Fri, 1 Nov 2024 21:43:57 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:43:56 +0100 To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 09/10] hw/cxl: Ensure there is enough data for the header in cmd_ccls_set_lsa() Date: Fri, 1 Nov 2024 13:39:16 +0000 Message-ID: <20241101133917.27634-10-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.19.247] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730468648045116600 Content-Type: text/plain; charset="utf-8" The properties of the requested set command cannot be established if len_in is less than the size of the header. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 078782e8b9..f4a436e172 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1503,8 +1503,8 @@ static CXLRetCode cmd_ccls_set_lsa(const struct cxl_c= md *cmd, const size_t hdr_len =3D offsetof(struct set_lsa_pl, data); =20 *len_out =3D 0; - if (!len_in) { - return CXL_MBOX_SUCCESS; + if (len_in < hdr_len) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; } =20 if (set_lsa_payload->offset + len_in > cvc->get_lsa_size(ct3d) + hdr_l= en) { --=20 2.43.0 From nobody Sat Nov 23 20:34:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1730468679; cv=none; d=zohomail.com; s=zohoarc; b=C7I/xI+gfk/UyTSOvo+vHFS0JV6CwWah8i+9tiMj8I3WoKfyKiwCGRcay4h+P1qsnLie4eCKHGawnaqdnpAzgbeGwO6p4MqAKazBShgInz5F2cEyBxtgV1Wa2l+8UKOY/uh4IDN4jdR6g/M0w7ozKplgDDvSW7nuQ61zA8ERANM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730468679; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=kfkp2i5VRrt5QVjI6hag6I7Pt9365ghh8KsP1/bth6U=; b=X1OUv862FkL/umba/sg0k1OHSTM5hUB09zoEEjrDjuQCAatLmyHvPZSv4NfcoPhuJGOPl5wh/IefJQaceoDgJNY33ueR5/6tequd+tJhWSu2OID9GNQt8JVLbDQIP6HlVr7HXtMSV4QoCe3kC+wtEM1gV5xwE/pmMIYeR4XD1HE= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730468679400476.67311323513013; Fri, 1 Nov 2024 06:44:39 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6rx3-0001GM-Rd; Fri, 01 Nov 2024 09:44:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rx2-0001Fw-OW for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:44:32 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6rx1-0001S5-Ey for qemu-devel@nongnu.org; Fri, 01 Nov 2024 09:44:32 -0400 Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg28j17RQz6K6jJ; Fri, 1 Nov 2024 21:41:57 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id AAD391404FC; Fri, 1 Nov 2024 21:44:28 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:44:28 +0100 To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 10/10] hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() Date: Fri, 1 Nov 2024 13:39:17 +0000 Message-ID: <20241101133917.27634-11-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.19.247] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1730468680182116600 Content-Type: text/plain; charset="utf-8" If len_in is smaller than the header length then the accessing the number of ports will result in an out of bounds access. Add a check to avoid this. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index f4a436e172..2d4d62c454 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -530,6 +530,9 @@ static CXLRetCode cmd_get_physical_port_state(const str= uct cxl_cmd *cmd, in =3D (struct cxl_fmapi_get_phys_port_state_req_pl *)payload_in; out =3D (struct cxl_fmapi_get_phys_port_state_resp_pl *)payload_out; =20 + if (len_in < sizeof(*in)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } /* Check if what was requested can fit */ if (sizeof(*out) + sizeof(*out->ports) * in->num_ports > cci->payload_= max) { return CXL_MBOX_INVALID_INPUT; --=20 2.43.0