[PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_eve

From:	Jonathan Cameron
Subject:	[PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records()
Date:	Fri, 1 Nov 2024 13:39:10 +0000

Buggy software might write a message that is too short for
either the header, or the header + the event data that is specified
in the header.  This may result in accesses beyond the range of the
message allocated as a duplicate of the incoming message buffer.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index e63140aefe..3cb499a24f 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -266,6 +266,12 @@ static CXLRetCode cmd_events_clear_records(const struct 
cxl_cmd *cmd,
     CXLClearEventPayload *pl;
 
     pl = (CXLClearEventPayload *)payload_in;
+
+    if (len_in < sizeof(*pl) ||
+        len_in < sizeof(*pl) + sizeof(*pl->handle) * pl->nr_recs) {
+        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
+    }
+
     *len_out = 0;
     return cxl_event_clear_records(cxlds, pl);
 }
-- 
2.43.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input., Jonathan Cameron, 2024/11/01
- [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands, Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands, Fan Ni, 2024/11/05
- [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature(), Fan Ni, 2024/11/05
- [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records(), Jonathan Cameron <=
  - Re: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records(), Fan Ni, 2024/11/05
- [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer(), Fan Ni, 2024/11/05
- [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log(), Fan Ni, 2024/11/05
- [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log., Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log., Fan Ni, 2024/11/05
- [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd(), Fan Ni, 2024/11/05
- [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes, Jonathan Cameron, 2024/11/01

Prev by Date: [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature()
Next by Date: [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer()
Previous by thread: Re: [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature()
Next by thread: Re: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records()
Index(es):
- Date
- Thread