| Message ID | 20240917080925.270597-2-frolov@swemel.ru (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | hw/cxl: fix uint32 overflow cxl-mailbox-utils.c | expand |
On Tue, 17 Sep 2024 11:09:16 +0300 Dmitry Frolov <frolov@swemel.ru> wrote: > The sum offset + length may overflow uint32. Since this sum is > compared with uint64_t return value of get_lsa_size(), it makes > sense to choose uint64_t type for offset and length. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. That would take a crazy LSA configuration but indeed looks possible. Does it matter? If this happens we'll falsely pass the check, then the values will get passed into get_lsa() which does have sanity checks, but they are asserts. So indeed good to fix this and the suggested fix is fine. I've queued it up but will be at travelling this week so might be a while before I send out a fixes series with this in. Thanks, Jonathan > > Signed-off-by: Dmitry Frolov <frolov@swemel.ru> > --- > hw/cxl/cxl-mailbox-utils.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c > index 9258e48f95..9f794e4655 100644 > --- a/hw/cxl/cxl-mailbox-utils.c > +++ b/hw/cxl/cxl-mailbox-utils.c > @@ -1445,7 +1445,7 @@ static CXLRetCode cmd_ccls_get_lsa(const struct cxl_cmd *cmd, > } QEMU_PACKED *get_lsa; > CXLType3Dev *ct3d = CXL_TYPE3(cci->d); > CXLType3Class *cvc = CXL_TYPE3_GET_CLASS(ct3d); > - uint32_t offset, length; > + uint64_t offset, length; > > get_lsa = (void *)payload_in; > offset = get_lsa->offset;
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 9258e48f95..9f794e4655 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1445,7 +1445,7 @@ static CXLRetCode cmd_ccls_get_lsa(const struct cxl_cmd *cmd, } QEMU_PACKED *get_lsa; CXLType3Dev *ct3d = CXL_TYPE3(cci->d); CXLType3Class *cvc = CXL_TYPE3_GET_CLASS(ct3d); - uint32_t offset, length; + uint64_t offset, length; get_lsa = (void *)payload_in; offset = get_lsa->offset;
The sum offset + length may overflow uint32. Since this sum is compared with uint64_t return value of get_lsa_size(), it makes sense to choose uint64_t type for offset and length. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Dmitry Frolov <frolov@swemel.ru> --- hw/cxl/cxl-mailbox-utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)