On Thu, 16 Apr 2026 16:54:21 +0100
Jonathan Cameron via qemu development <qemu-devel@nongnu.org> wrote:
> The requested entry is controlled by the guest so must be checked against
> the number of entries that actually exist.
>
> Reported as a security issue, but CXL emulation has since been declared
> to not be suitable (yet) for virtualization use cases and so the security
> handling policy does not apply.
>
> Fixes: f5ee7413d592 ("hw/mem/cxl-type3: Add CXL CDAT Data Object Exchange")
> Fixes: 882877fc359d ("hw/pci-bridge/cxl-upstream: Add a CDAT table access DOE")
> Reported-by: Buzzy <buzzy0257@gmail.com>
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> Cc: <jic23@kernel.org>
I have a very short memory it seems and forgot to add linux-cxl
despite adding it to the MAINTAINERS entry yesterday.
> ---
> hw/mem/cxl_type3.c | 4 ++++
> hw/pci-bridge/cxl_upstream.c | 4 ++++
> 2 files changed, 8 insertions(+)
>
> diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> index 4739239da3c5..763b6a024403 100644
> --- a/hw/mem/cxl_type3.c
> +++ b/hw/mem/cxl_type3.c
> @@ -278,6 +278,10 @@ static bool cxl_doe_cdat_rsp(DOECap *doe_cap)
> }
>
> ent = req->entry_handle;
> + if (ent >= cdat->entry_len) {
> + return false;
> + }
> +
> base = cdat->entry[ent].base;
> len = cdat->entry[ent].length;
>
> diff --git a/hw/pci-bridge/cxl_upstream.c b/hw/pci-bridge/cxl_upstream.c
> index b6281cbd4cb0..fa53fa2777fd 100644
> --- a/hw/pci-bridge/cxl_upstream.c
> +++ b/hw/pci-bridge/cxl_upstream.c
> @@ -158,6 +158,10 @@ static bool cxl_doe_cdat_rsp(DOECap *doe_cap)
> }
>
> ent = req->entry_handle;
> + if (ent >= cdat->entry_len) {
> + return false;
> + }
> +
> base = cdat->entry[ent].base;
> len = cdat->entry[ent].length;
>