From nobody Sat Nov 23 23:17:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1730754796; cv=none; d=zohomail.com; s=zohoarc; b=Vfgdk5SLV1Lutx0EBJj7cdwDgBuWhCRx4WgZWltNQgjob4MvdxoMzhcgt/aqLQN262U1gI0TCsJ8kiESQ5nyoZVfk2Rl9G+Bcy7skUjfrx+xI7B4jdIYcwhSepPwd5naKAXoktmQ8lZ7uGqeeriVkww+4vcmx7ocpEd56yKcl6c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730754796; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=X09gUc+uwzieH0F+I0K2aed1PpK5bPTr3a80Rrc3pVA=; b=KAqajq/JB64tyj45hEeUNcjiQnWpiuI1LtI1J6Ecn3sIE5ZsBfYa6OgKKm0mwIZIKIN0oT5KDdYVLmDsNKJWW/RnNJGqyGzyp8NwjfHlWANsaXezIl8RBJ0LZtJndDep8LkTtHEdR/HnndN537f4e/C7y/xvYUnGTu5R2fWM0kU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730754796787397.807453068732; Mon, 4 Nov 2024 13:13:16 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t84Jr-0007yQ-0C; Mon, 04 Nov 2024 16:09:03 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t84Jo-0007ra-M9 for qemu-devel@nongnu.org; Mon, 04 Nov 2024 16:09:01 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t84Jn-0005Vn-6c for qemu-devel@nongnu.org; Mon, 04 Nov 2024 16:09:00 -0500 Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-44-pgFjJ9rfMfOG_cFQG0Zvpw-1; Mon, 04 Nov 2024 16:08:57 -0500 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-37d662dd3c8so2314876f8f.1 for ; Mon, 04 Nov 2024 13:08:57 -0800 (PST) Received: from redhat.com ([2.52.14.134]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-431bd9403bfsm194399045e9.21.2024.11.04.13.08.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Nov 2024 13:08:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1730754538; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=X09gUc+uwzieH0F+I0K2aed1PpK5bPTr3a80Rrc3pVA=; b=XaZj5gRynQWgkX9M9MvnU6g+6MVFI5fI43glcCwVDUuYjKgR6nvwJGVu4stJ9BBDTUZJHp lOHADfKwQLSNU5ELcWFQ3QB1rOJQSim0FhS6N8MS2k2MlyBX8ltbj5JQz5xqKwegcNrnnt gSr54wntViDXsncJl+gUbJ69DVehRLw= X-MC-Unique: pgFjJ9rfMfOG_cFQG0Zvpw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730754535; x=1731359335; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=X09gUc+uwzieH0F+I0K2aed1PpK5bPTr3a80Rrc3pVA=; b=pf31zBtTOsJgpocQ8MTnCPBHM4Gt5cYsKBQr8GENRnU+g3Nf4Tf9sOWhK/tbaDf+6C Zl5f5bWkrYakfqUuVaBLMeT2dYDxKiC/D8YPoXXuxdkUBA7ehc+6xs4voBKa/HEyzIbo 4DlaxilDxy0ez59wdNLLIhNUUVWf3ynoYmFzqPrb5zScplZWKwABO9jkyyGZtNCqmjrz sE0bZw5w8pXUSQGkbM6NHzD1YF/LgbYrEC8q/nt3TFfarqeOfBJMNOqiGDez93ndzxh7 Q2QYsvFUCWB08zYxrD/q5+Jg4efy65teSoSXfN0m5kZBV5b2chdOLSJWb97gYfE8dGbF S3JA== X-Gm-Message-State: AOJu0YwZexb/zqy2CgjDlMu6NJRXlqCeVOIMhTPerVJodvVJsyz4WjAx jMg9sYuCQb+Ovmoe62XgN4uxMJ/ezGaSoWu5oUj348QpHxQuIjV1wRzv/6QcK6+zv0486U9tdKa 1f6TBNb68mVW/8Xu+CRRVLCeO/t6wWemrjfpo64pOqnoeONbEGvg3MXaOLkbgppnQQed4AT4wAE m8p0PGLqsXsLU6nxMscKweJnGWKSRy2w== X-Received: by 2002:a05:600c:3547:b0:42c:b16e:7a22 with SMTP id 5b1f17b1804b1-431bb9855c0mr199978715e9.12.1730754535468; Mon, 04 Nov 2024 13:08:55 -0800 (PST) X-Google-Smtp-Source: AGHT+IGm5vJf2o0XWBZy/5c3IwjKkL01awFnXbFuO3z/oIADmtka9DnnEecgzCw7asA9BGOA7RnEPg== X-Received: by 2002:a05:600c:3547:b0:42c:b16e:7a22 with SMTP id 5b1f17b1804b1-431bb9855c0mr199978545e9.12.1730754535019; Mon, 04 Nov 2024 13:08:55 -0800 (PST) Date: Mon, 4 Nov 2024 16:08:51 -0500 From: "Michael S. Tsirkin" To: qemu-devel@nongnu.org Cc: Peter Maydell , Jonathan Cameron , Esifiel , Fan Ni Subject: [PULL 50/65] hw/cxl: Check enough data in cmd_firmware_update_transfer() Message-ID: References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Mailer: git-send-email 2.27.0.106.g8ac3dc51b1 X-Mutt-Fcc: =sent Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=mst@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -23 X-Spam_score: -2.4 X-Spam_bar: -- X-Spam_report: (-2.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.34, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1730754798740116600 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jonathan Cameron Buggy guest can write a message that advertises more data that is provided. As QEMU internally duplicates the reported message size, this may result in an out of bounds access. Add sanity checks on the size to avoid this. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Message-Id: <20241101133917.27634-5-Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- hw/cxl/cxl-mailbox-utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 3cb499a24f..27fadc4fa8 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -705,6 +705,10 @@ static CXLRetCode cmd_firmware_update_transfer(const s= truct cxl_cmd *cmd, } QEMU_PACKED *fw_transfer =3D (void *)payload_in; size_t offset, length; =20 + if (len < sizeof(*fw_transfer)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + if (fw_transfer->action =3D=3D CXL_FW_XFER_ACTION_ABORT) { /* * At this point there aren't any on-going transfers --=20 MST