1. Patchew
  2. linux
  3. View series

[PATCH] cxl/test: reject wrapped GET_LOG offsets

Samuel Moelius posted 1 patch 2 days, 14 hours ago 
tools/testing/cxl/test/mem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] cxl/test: reject wrapped GET_LOG offsets
Posted by Samuel Moelius 2 days, 14 hours ago 
The CXL mock mailbox GET_LOG handler validates the requested CEL slice
with `offset + length > sizeof(mock_cel)`.  Both fields come from the
userspace CXL_MEM_SEND_COMMAND payload and are 32-bit values, so an
offset near U32_MAX can wrap the addition to a small value and pass the
bounds check.

The wrapped request then uses the original large offset as the source
address for memcpy(), reading far outside the mock CEL array.

Validate the offset first and compare the length against the remaining
CEL size so the check cannot wrap.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
 tools/testing/cxl/test/mem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/cxl/test/mem.c b/tools/testing/cxl/test/mem.c
index 271c7ad8cc32..5dc9601a2a7e 100644
--- a/tools/testing/cxl/test/mem.c
+++ b/tools/testing/cxl/test/mem.c
@@ -584,7 +584,7 @@ static int mock_get_log(struct cxl_memdev_state *mds, struct cxl_mbox_cmd *cmd)
 		return -EINVAL;
 	if (length > cxl_mbox->payload_size)
 		return -EINVAL;
-	if (offset + length > sizeof(mock_cel))
+	if (offset > sizeof(mock_cel) || length > sizeof(mock_cel) - offset)
 		return -EINVAL;
 	if (!uuid_equal(&gl->uuid, &uuid))
 		return -EINVAL;
-- 
2.43.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.