1. Patchew
  2. QEMU
  3. [PULL 00/65] virtio,pc,pci: features, fixes, cleanups
  4. View patch

[PULL 52/65] hw/cxl: Avoid accesses beyond the end of cel_log.

Michael S. Tsirkin posted 65 patches 2 weeks, 4 days ago
[PULL 52/65] hw/cxl: Avoid accesses beyond the end of cel_log.
Posted by Michael S. Tsirkin 2 weeks, 4 days ago 
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

Add a check that the requested offset + length does not go beyond the end
of the cel_log.

Whilst the cci->cel_log is large enough to include all possible CEL
entries, the guest might still ask for entries beyond the end of it.
Move the comment to this new check rather than before the check on the
type of log requested.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20241101133917.27634-7-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/cxl/cxl-mailbox-utils.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 2aa7ffed84..5e571955b6 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -937,16 +937,6 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd *cmd,
 
     get_log = (void *)payload_in;
 
-    /*
-     * CXL r3.1 Section 8.2.9.5.2: Get Log (Opcode 0401h)
-     *   The device shall return Invalid Input if the Offset or Length
-     *   fields attempt to access beyond the size of the log as reported by Get
-     *   Supported Logs.
-     *
-     * The CEL buffer is large enough to fit all commands in the emulation, so
-     * the only possible failure would be if the mailbox itself isn't big
-     * enough.
-     */
     if (get_log->length > cci->payload_max) {
         return CXL_MBOX_INVALID_INPUT;
     }
@@ -955,6 +945,20 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd *cmd,
         return CXL_MBOX_INVALID_LOG;
     }
 
+    /*
+     * CXL r3.1 Section 8.2.9.5.2: Get Log (Opcode 0401h)
+     *   The device shall return Invalid Input if the Offset or Length
+     *   fields attempt to access beyond the size of the log as reported by Get
+     *   Supported Log.
+     *
+     * Only valid for there to be one entry per opcode, but the length + offset
+     * may still be greater than that if the inputs are not valid and so access
+     * beyond the end of cci->cel_log.
+     */
+    if ((uint64_t)get_log->offset + get_log->length >= sizeof(cci->cel_log)) {
+        return CXL_MBOX_INVALID_INPUT;
+    }
+
     /* Store off everything to local variables so we can wipe out the payload */
     *len_out = get_log->length;
 
-- 
MST

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.