hw/cxl: Check for zero length features in cmd_features_set_feature()

[PATCH qemu] hw/cxl: Check for zero length features in cmd_features_set_feature()

Jonathan Cameron via posted 1 patch 1 year, 3 months ago

Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20241108175814.1248278-1-Jonathan.Cameron@huawei.com

Maintainers: Jonathan Cameron <jonathan.cameron@huawei.com>, Fan Ni <fan.ni@samsung.com>

hw/cxl/cxl-mailbox-utils.c | 4 ++++
1 file changed, 4 insertions(+)

Expand all Fold all

[PATCH qemu] hw/cxl: Check for zero length features in cmd_features_set_feature()

Posted by Jonathan Cameron via 1 year, 3 months ago

Zero length data for features doesn't make any sense so exclude that case
early. This fixes the undefined behavior reported by coverity for a zero
length memcpy().

Resolves CID 1564900 and 1564901

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 2d4d62c454..ce9aa18364 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -1288,6 +1288,10 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,
     set_feat_info->data_offset = hdr->offset;
     bytes_to_copy = len_in - sizeof(CXLSetFeatureInHeader);
 
+    if (bytes_to_copy == 0) {
+        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
+    }
+
     if (qemu_uuid_is_equal(&hdr->uuid, &patrol_scrub_uuid)) {
         if (hdr->version != CXL_MEMDEV_PS_SET_FEATURE_VERSION) {
             return CXL_MBOX_UNSUPPORTED;
-- 
2.43.0

Re: [PATCH qemu] hw/cxl: Check for zero length features in cmd_features_set_feature()

Posted by Fan Ni 1 year, 2 months ago

On Fri, Nov 08, 2024 at 05:58:14PM +0000, Jonathan Cameron wrote:
> Zero length data for features doesn't make any sense so exclude that case
> early. This fixes the undefined behavior reported by coverity for a zero
> length memcpy().
> 
> Resolves CID 1564900 and 1564901
> 
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---
>  hw/cxl/cxl-mailbox-utils.c | 4 ++++
>  1 file changed, 4 insertions(+)

Reviewed-by: Fan Ni <fan.ni@samsung.com>

> 
> diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> index 2d4d62c454..ce9aa18364 100644
> --- a/hw/cxl/cxl-mailbox-utils.c
> +++ b/hw/cxl/cxl-mailbox-utils.c
> @@ -1288,6 +1288,10 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,
>      set_feat_info->data_offset = hdr->offset;
>      bytes_to_copy = len_in - sizeof(CXLSetFeatureInHeader);
>  
> +    if (bytes_to_copy == 0) {
> +        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> +    }
> +
>      if (qemu_uuid_is_equal(&hdr->uuid, &patrol_scrub_uuid)) {
>          if (hdr->version != CXL_MEMDEV_PS_SET_FEATURE_VERSION) {
>              return CXL_MBOX_UNSUPPORTED;

-- 
Fan Ni