[PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_tran

From:	Jonathan Cameron
Subject:	[PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer()
Date:	Fri, 1 Nov 2024 13:39:11 +0000

Buggy guest can write a message that advertises more data that
is provided. As QEMU internally duplicates the reported message
size, this may result in an out of bounds access.
Add sanity checks on the size to avoid this.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 3cb499a24f..27fadc4fa8 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -705,6 +705,10 @@ static CXLRetCode cmd_firmware_update_transfer(const 
struct cxl_cmd *cmd,
     } QEMU_PACKED *fw_transfer = (void *)payload_in;
     size_t offset, length;
 
+    if (len < sizeof(*fw_transfer)) {
+        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
+    }
+
     if (fw_transfer->action == CXL_FW_XFER_ACTION_ABORT) {
         /*
          * At this point there aren't any on-going transfers
-- 
2.43.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input., Jonathan Cameron, 2024/11/01
- [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands, Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands, Fan Ni, 2024/11/05
- [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature(), Fan Ni, 2024/11/05
- [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records(), Fan Ni, 2024/11/05
- [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer(), Jonathan Cameron <=
  - Re: [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer(), Fan Ni, 2024/11/05
- [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log(), Fan Ni, 2024/11/05
- [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log., Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log., Fan Ni, 2024/11/05
- [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd(), Fan Ni, 2024/11/05
- [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes, Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes, Fan Ni, 2024/11/05
  - Re: [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes, Peter Maydell, 2024/11/07

Prev by Date: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records()
Next by Date: [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log()
Previous by thread: Re: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records()
Next by thread: Re: [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer()
Index(es):
- Date
- Thread