hw/cxl: Fix two OOB access bugs in CXL mailbox commands

[PATCH 0/2] hw/cxl: Fix two OOB access bugs in CXL mailbox commands

Aaron Esau posted 2 patches 1 month, 1 week ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260416200702.2374709-1-git@aaronesau.com

Maintainers: Jonathan Cameron <jonathan.cameron@huawei.com>, Fan Ni <fan.ni@samsung.com>

hw/cxl/cxl-mailbox-utils.c | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)

Expand all Fold all

[PATCH 0/2] hw/cxl: Fix two OOB access bugs in CXL mailbox commands

Posted by Aaron Esau 1 month, 1 week ago

Two fixes for CXL Type-3 device emulation in hw/cxl/cxl-mailbox-utils.c:

Patch 1: cmd_logs_get_log() performs pointer arithmetic on a struct
array using a byte offset, reading past the end of cel_log. Fix the
memmove to use byte-based pointer arithmetic (cast to uint8_t *).

Patch 2: cmd_features_set_feature() is missing bounds checks on six
Set Feature handlers (soft_ppr, hard_ppr, cacheline_sparing,
row_sparing, bank_sparing, rank_sparing). A guest-controlled offset
and payload length can overflow the small write-attribute structs
into adjacent CXLType3Dev fields. Add the same bounds check already
present in the patrol_scrub and ecs cases.

Aaron Esau (2):
  hw/cxl: fix OOB read in Get Log command due to incorrect pointer
    arithmetic
  hw/cxl: add missing bounds checks in Set Feature for PPR and sparing

 hw/cxl/cxl-mailbox-utils.c | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

-- 
2.53.0