1. Patchew
  2. QEMU
  3. [PULL 00/65] virtio,pc,pci: features, fixes, cleanups
  4. View patch

[PULL 56/65] hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state()

Michael S. Tsirkin posted 65 patches 2 weeks, 4 days ago
[PULL 56/65] hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state()
Posted by Michael S. Tsirkin 2 weeks, 4 days ago 
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

If len_in is smaller than the header length then the accessing the
number of ports will result in an out of bounds access.
Add a check to avoid this.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20241101133917.27634-11-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/cxl/cxl-mailbox-utils.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index f4a436e172..2d4d62c454 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -530,6 +530,9 @@ static CXLRetCode cmd_get_physical_port_state(const struct cxl_cmd *cmd,
     in = (struct cxl_fmapi_get_phys_port_state_req_pl *)payload_in;
     out = (struct cxl_fmapi_get_phys_port_state_resp_pl *)payload_out;
 
+    if (len_in < sizeof(*in)) {
+        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
+    }
     /* Check if what was requested can fit */
     if (sizeof(*out) + sizeof(*out->ports) * in->num_ports > cci->payload_max) {
         return CXL_MBOX_INVALID_INPUT;
-- 
MST

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.