| Message ID | 20241101133917.27634-4-Jonathan.Cameron@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | hw/cxl: Mailbox input parser hardening against invalid input. | expand |
On Fri, Nov 01, 2024 at 01:39:10PM +0000, Jonathan Cameron wrote: > Buggy software might write a message that is too short for > either the header, or the header + the event data that is specified > in the header. This may result in accesses beyond the range of the > message allocated as a duplicate of the incoming message buffer. > > Reported-by: Esifiel <esifiel@gmail.com> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> > --- Reviewed-by: Fan Ni <fan.ni@samsung.com> > hw/cxl/cxl-mailbox-utils.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c > index e63140aefe..3cb499a24f 100644 > --- a/hw/cxl/cxl-mailbox-utils.c > +++ b/hw/cxl/cxl-mailbox-utils.c > @@ -266,6 +266,12 @@ static CXLRetCode cmd_events_clear_records(const struct cxl_cmd *cmd, > CXLClearEventPayload *pl; > > pl = (CXLClearEventPayload *)payload_in; > + > + if (len_in < sizeof(*pl) || > + len_in < sizeof(*pl) + sizeof(*pl->handle) * pl->nr_recs) { > + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; > + } > + > *len_out = 0; > return cxl_event_clear_records(cxlds, pl); > } > -- > 2.43.0 >
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index e63140aefe..3cb499a24f 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -266,6 +266,12 @@ static CXLRetCode cmd_events_clear_records(const struct cxl_cmd *cmd, CXLClearEventPayload *pl; pl = (CXLClearEventPayload *)payload_in; + + if (len_in < sizeof(*pl) || + len_in < sizeof(*pl) + sizeof(*pl->handle) * pl->nr_recs) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + *len_out = 0; return cxl_event_clear_records(cxlds, pl); }
Buggy software might write a message that is too short for either the header, or the header + the event data that is specified in the header. This may result in accesses beyond the range of the message allocated as a duplicate of the incoming message buffer. Reported-by: Esifiel <esifiel@gmail.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> --- hw/cxl/cxl-mailbox-utils.c | 6 ++++++ 1 file changed, 6 insertions(+)