[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 14/17] hw/cxl: Fix out of bound array access
From: |
Michael Tokarev |
Subject: |
[PULL 14/17] hw/cxl: Fix out of bound array access |
Date: |
Thu, 21 Sep 2023 11:35:03 +0300 |
From: Dmitry Frolov <frolov@swemel.ru>
According to cxl_interleave_ways_enc(), fw->num_targets is allowed to be up
to 16. This also corresponds to CXL r3.0 spec. So, the fw->target_hbs[]
array is iterated from 0 to 15. But it is statically declared of length 8.
Thus, out of bound array access may occur.
Fixes: c28db9e000 ("hw/pci-bridge: Make PCIe and CXL PXB Devices inherit from
TYPE_PXB_DEV")
Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Link: 20230913101055.754709-1-frolov@swemel.ru">https://lore.kernel.org/r/20230913101055.754709-1-frolov@swemel.ru
Cc: qemu-stable@nongnu.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---
include/hw/cxl/cxl.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/hw/cxl/cxl.h b/include/hw/cxl/cxl.h
index 56c9e7676e..4944725849 100644
--- a/include/hw/cxl/cxl.h
+++ b/include/hw/cxl/cxl.h
@@ -29,7 +29,7 @@ typedef struct PXBCXLDev PXBCXLDev;
typedef struct CXLFixedWindow {
uint64_t size;
char **targets;
- PXBCXLDev *target_hbs[8];
+ PXBCXLDev *target_hbs[16];
uint8_t num_targets;
uint8_t enc_int_ways;
uint8_t enc_int_gran;
--
2.39.2
- [PULL 03/17] i386: spelling fixes, (continued)
- [PULL 03/17] i386: spelling fixes, Michael Tokarev, 2023/09/21
- [PULL 02/17] bsd-user: spelling fixes, Michael Tokarev, 2023/09/21
- [PULL 05/17] hw/pci: spelling fixes, Michael Tokarev, 2023/09/21
- [PULL 09/17] hw/i386/pc: fix code comment on cumulative flash size, Michael Tokarev, 2023/09/21
- [PULL 10/17] hw/cxl: Fix CFMW config memory leak, Michael Tokarev, 2023/09/21
- [PULL 08/17] subprojects: Use the correct .git suffix in the repository URLs, Michael Tokarev, 2023/09/21
- [PULL 04/17] hw/net: spelling fixes, Michael Tokarev, 2023/09/21
- [PULL 07/17] hw/other: spelling fixes, Michael Tokarev, 2023/09/21
- [PULL 11/17] hw/pci-bridge/cxl_upstream: Fix bandwidth entry base unit for SSLBIS, Michael Tokarev, 2023/09/21
- [PULL 12/17] hw/cxl/cxl_device: Replace magic number in CXLError definition, Michael Tokarev, 2023/09/21
- [PULL 14/17] hw/cxl: Fix out of bound array access,
Michael Tokarev <=
- [PULL 13/17] docs/cxl: Change to lowercase as others, Michael Tokarev, 2023/09/21
- [PULL 15/17] hw/mem/cxl_type3: Add missing copyright and license notice, Michael Tokarev, 2023/09/21
- [PULL 16/17] docs/cxl: Cleanout some more aarch64 examples., Michael Tokarev, 2023/09/21
- [PULL 17/17] docs/devel/reset.rst: Correct function names, Michael Tokarev, 2023/09/21
- Re: [PULL 00/17] Trivial patches for 2023-09-21, Stefan Hajnoczi, 2023/09/21