From patchwork Fri Nov 1 13:39:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 13859379 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7823168DA for ; Fri, 1 Nov 2024 13:39:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468394; cv=none; b=MGYGnuPCJ7qMTaYbkpOb3bXPpRPm1i7IvcUyTRGiTlMUg2Ix1Ayz/qDRnj/6jCfk9/EZeYVQgDcXlIuxKmXakAJFzVBlLp5hWlvzSR4fnNIgbmbGZGeQ3XLiBJxBt/V8cs9juvpEe162Ptqe6Pcq3yAn2nbiStvuA3wFw8LjrAQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468394; c=relaxed/simple; bh=8phfBryrpv4N4DjmyEevzZ8TMpA5AUvwqBjN1VtpOE8=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=ERS/NVHGkJ9gSNjRgi3ZhoNrDS+Y4YCpP89wWgeeD6RKnzcAJpjzjvF/g9c3ycZxf5iVeBTeY281xl2evaorEDR+9sh9V3SIvB8t02T0Yc7iHEb+dJ7WKd2vmNj9TpbfXAh5B8j0AR+N97pUNVtdbC/CX2RAVSVwf2ze14XsLGc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg23L2VXPz6K6Qk; Fri, 1 Nov 2024 21:37:18 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id DE5A6140A36; Fri, 1 Nov 2024 21:39:49 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:39:49 +0100 From: Jonathan Cameron To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands Date: Fri, 1 Nov 2024 13:39:08 +0000 Message-ID: <20241101133917.27634-2-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> Precedence: bulk X-Mailing-List: linux-cxl@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) cxl_cmd_dcd_release_dyn_cap() and cmd_dcd_add_dyn_cap_rsp() are missing input message size checks. These must be done in the individual commands when the command has a variable length input payload. A buggy or malicious guest might send undersized messages via the mailbox. As that size is used to take a copy of the mailbox content, each command must check there is sufficient data. In this case the first check is that there is enough data to read how many extents there are, and the second that there is enough for those elements to be accessed. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 97cb8bbcec..17924410dd 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -2465,11 +2465,20 @@ static CXLRetCode cmd_dcd_add_dyn_cap_rsp(const struct cxl_cmd *cmd, uint64_t dpa, len; CXLRetCode ret; + if (len_in < sizeof(*in)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + if (in->num_entries_updated == 0) { cxl_extent_group_list_delete_front(&ct3d->dc.extents_pending); return CXL_MBOX_SUCCESS; } + if (len_in < + sizeof(*in) + sizeof(*in->updated_entries) * in->num_entries_updated) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + /* Adding extents causes exceeding device's extent tracking ability. */ if (in->num_entries_updated + ct3d->dc.total_extent_count > CXL_NUM_EXTENTS_SUPPORTED) { @@ -2624,10 +2633,19 @@ static CXLRetCode cmd_dcd_release_dyn_cap(const struct cxl_cmd *cmd, uint32_t updated_list_size; CXLRetCode ret; + if (len_in < sizeof(*in)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + if (in->num_entries_updated == 0) { return CXL_MBOX_INVALID_INPUT; } + if (len_in < + sizeof(*in) + sizeof(*in->updated_entries) * in->num_entries_updated) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + ret = cxl_detect_malformed_extent_list(ct3d, in); if (ret != CXL_MBOX_SUCCESS) { return ret; From patchwork Fri Nov 1 13:39:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 13859380 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68199168DA for ; Fri, 1 Nov 2024 13:40:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468426; cv=none; b=iL76F7+k/7PMY3+LAwJA3NJ8Y3thiPhL9/h50goon4CObChTB9zWdx3UKinA+VK+OuiIBtGQHg5E+lmA2RpTMKqRxPTkStp2Dzwdcd3HkaqEplc/nCO0LO+vcD0uJ94xTl5VndGoVAmM5WvEyq9rXr6reyOkeYaU0tUg8qYN3/w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468426; c=relaxed/simple; bh=lqAH22jJLVaCuYrg9qfBFPgPQD/EWHCt6Ng7RdYPQ3w=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Q7eLqsIWVHLKdMaAw+lGoLbiUBTMYu0DTG5vy7PnUjhmKy5gSP8EQkOYeiGBljp/GYq1x2VB+4nun7xpVOVx+0Csd5vf1xwBKKomvmyb5TroeS6mlp7rTu3yN3FLOBrMVtSaDsEaqZBClhhRW+8oYZH6NHuDzGy2EC5kbc9A0QE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg25D69gwz6JB7S; Fri, 1 Nov 2024 21:38:56 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id C30AE140A9C; Fri, 1 Nov 2024 21:40:20 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:40:20 +0100 From: Jonathan Cameron To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature() Date: Fri, 1 Nov 2024 13:39:09 +0000 Message-ID: <20241101133917.27634-3-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> Precedence: bulk X-Mailing-List: linux-cxl@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) A buggy guest might write an insufficiently large message. Check the header is present. Whilst zero data after the header is very odd it will just result in failure to copy any data. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 17924410dd..e63140aefe 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1238,6 +1238,9 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd, CXLType3Dev *ct3d; uint16_t count; + if (len_in < sizeof(*hdr)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } if (!object_dynamic_cast(OBJECT(cci->d), TYPE_CXL_TYPE3)) { return CXL_MBOX_UNSUPPORTED; From patchwork Fri Nov 1 13:39:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 13859381 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C24DB168DA for ; Fri, 1 Nov 2024 13:40:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468455; cv=none; b=r8ph2wZmArLleVLu+lriDC6dWpTLvlhfWbDUCjTgyvQvM51C5wuXsQurFmMfANG/lVYthpbBvx5gmJPKehqsbnHUQOTizwmi416O0FYgTCqh4J7LWIgV5Y6m3PMqsJkhScnrXVinkfJp3H1GYYZQZ0ro/z5Wx2KhosIXbjGPilc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468455; c=relaxed/simple; bh=kPeNdMlueIq7wDr/vvje1b/dnnQ/5XSp7oRZZlMj4u4=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=SjSHj5WfgC0+nlbL0KO27zegTa7RI7MWdW7IbcI9GTPEkTldlKJv7e9ASgxbPh8LOLWKeRKDolsBS37AvfsXvTML8ne9DrxI7iBAY/W0zoKDh+avuCkA7BnG7jD0Nf9/N1ck8lmfOCKbb7mrrhMLlUGa3WAuQ0iroFVP0rEpVs4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg24X1TS2z6K6j8; Fri, 1 Nov 2024 21:38:20 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id BC873140445; Fri, 1 Nov 2024 21:40:51 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:40:51 +0100 From: Jonathan Cameron To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records() Date: Fri, 1 Nov 2024 13:39:10 +0000 Message-ID: <20241101133917.27634-4-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> Precedence: bulk X-Mailing-List: linux-cxl@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Buggy software might write a message that is too short for either the header, or the header + the event data that is specified in the header. This may result in accesses beyond the range of the message allocated as a duplicate of the incoming message buffer. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index e63140aefe..3cb499a24f 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -266,6 +266,12 @@ static CXLRetCode cmd_events_clear_records(const struct cxl_cmd *cmd, CXLClearEventPayload *pl; pl = (CXLClearEventPayload *)payload_in; + + if (len_in < sizeof(*pl) || + len_in < sizeof(*pl) + sizeof(*pl->handle) * pl->nr_recs) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + *len_out = 0; return cxl_event_clear_records(cxlds, pl); } From patchwork Fri Nov 1 13:39:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 13859382 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D3286168DA for ; Fri, 1 Nov 2024 13:41:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468486; cv=none; b=gID6LVi+5xIui8V+ZllSkmlk9KVnCusN4x7/z8+1R7OYzMcky/O8eilvmZfTccOLG/KVNFTOIsnta99M697kFysUuc004mcGwG0axp4O5IZIiYNnUPm7Ug5dCiay+zMj54vLDshGSWp4/3g9YQBOwn86uDUKRjb33WGS8bqxLFw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468486; c=relaxed/simple; bh=L8p1HLi2NeIlaJNELXPlgJ9ysMi9o1KKq/lhstbxfBI=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Qg8mnpaBnTfuKJ3xCiv1oIOL6owze0vUsl/2Au6Mqr8hKdma7RSel1g23kC2W9BCzA8axUWjrRD+qCIUJXk/UW60b6tmKPPaWe7cDooWfmPW8LslXgFGmGAGHcm0geiULSpf7puScPWuadmb6KC40b8R0CrF8LyrFEfxEsQIqJE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg2570j4Zz6K6W4; Fri, 1 Nov 2024 21:38:51 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id A19A4140A9C; Fri, 1 Nov 2024 21:41:22 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:41:22 +0100 From: Jonathan Cameron To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer() Date: Fri, 1 Nov 2024 13:39:11 +0000 Message-ID: <20241101133917.27634-5-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> Precedence: bulk X-Mailing-List: linux-cxl@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Buggy guest can write a message that advertises more data that is provided. As QEMU internally duplicates the reported message size, this may result in an out of bounds access. Add sanity checks on the size to avoid this. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 3cb499a24f..27fadc4fa8 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -705,6 +705,10 @@ static CXLRetCode cmd_firmware_update_transfer(const struct cxl_cmd *cmd, } QEMU_PACKED *fw_transfer = (void *)payload_in; size_t offset, length; + if (len < sizeof(*fw_transfer)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + if (fw_transfer->action == CXL_FW_XFER_ACTION_ABORT) { /* * At this point there aren't any on-going transfers From patchwork Fri Nov 1 13:39:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 13859383 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C0589168DA for ; Fri, 1 Nov 2024 13:41:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468517; cv=none; b=ZyhqW+qQdr1xSzdXXlvZEGY+NfjJb+y1NJyAlVXjgirgAxbzraJTgL0EWoGZzldPlKnvnG9mKPQkOKT6CYDBR9jX/viJ+Lcad02hHGfXmf5Ts5H4FNhfownAyphCJRYhXN/1YoFjLtT4QJW01Cyp/bPwO0vVzsjA247dGIMdmZQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468517; c=relaxed/simple; bh=Dc3M2obbHv85NiZpVN8c30jCYN+nOU3Htsg4O1ZRECk=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=XRVf0o/F21ISQZzNT9/Mzl5E09F2jdr9VV3bWIIjg5xzFAmKvdoSLuYpic8xZV1Tu53SMO5C8HCmWyniaiWX7AQ6SUReZSbcIbIPdoHB4b1FCWkLydhUtzd5QuJw4WF2FLEJ5jRjBrkKrfzTZ/oFE6LTLiNMy0OU7fVSJOBllAQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg25j72BYz6K661; Fri, 1 Nov 2024 21:39:21 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id 8696E1404FC; Fri, 1 Nov 2024 21:41:53 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:41:53 +0100 From: Jonathan Cameron To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log() Date: Fri, 1 Nov 2024 13:39:12 +0000 Message-ID: <20241101133917.27634-6-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> Precedence: bulk X-Mailing-List: linux-cxl@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Checking offset + length is of no relevance when verifying the CEL data will fit in the mailbox payload. Only the length is is relevant. Note that this removes a potential overflow. Reported-by: Esifiel Signed-off-by: Jonathan Cameron --- hw/cxl/cxl-mailbox-utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 27fadc4fa8..2aa7ffed84 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -947,7 +947,7 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd *cmd, * the only possible failure would be if the mailbox itself isn't big * enough. */ - if (get_log->offset + get_log->length > cci->payload_max) { + if (get_log->length > cci->payload_max) { return CXL_MBOX_INVALID_INPUT; } From patchwork Fri Nov 1 13:39:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 13859384 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2364619AD5C for ; Fri, 1 Nov 2024 13:42:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468550; cv=none; b=SomeRSNwR5b6RLLcohPF5o26TFuRJ+bwu9YwWICWzOOy9XBkABAiV3Q51tm9cU7RPtRbJRq+KQVoKNfknwtQIaFmMD0RE9ea9pHBR57J9Rp+vnGrItcKpt1tdH480Se2+PZ2gXzVz7WHPpdfQQyOoslvWkUxekopOyHUrN1zSh0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468550; c=relaxed/simple; bh=S/RnwaZL+PvGHIUT6xkVkzEqDmzMNU72MnSgyVfJD0c=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=piPomEuClL7VMyRWSRiSyBe/KLtsPJdJDfTIWloLbIgO5YO7mnCHQm3tfpFU5I/chYqKnTI4rYqbtdjyd3mKwkQPlwOwErX5ZET2uN3D5VJeVz1naDBcUw4hvYLPUmXLzd8z+LMZvoxcLi2KC8tLSIuh/9kI8Ogw7/K723RqM2g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg26K0qkxz6K6jx; Fri, 1 Nov 2024 21:39:53 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id A67E1140C72; Fri, 1 Nov 2024 21:42:24 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:42:24 +0100 From: Jonathan Cameron To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log. Date: Fri, 1 Nov 2024 13:39:13 +0000 Message-ID: <20241101133917.27634-7-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> Precedence: bulk X-Mailing-List: linux-cxl@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) Add a check that the requested offset + length does not go beyond the end of the cel_log. Whilst the cci->cel_log is large enough to include all possible CEL entries, the guest might still ask for entries beyond the end of it. Move the comment to this new check rather than before the check on the type of log requested. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 2aa7ffed84..5e571955b6 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -937,24 +937,28 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd *cmd, get_log = (void *)payload_in; + if (get_log->length > cci->payload_max) { + return CXL_MBOX_INVALID_INPUT; + } + + if (!qemu_uuid_is_equal(&get_log->uuid, &cel_uuid)) { + return CXL_MBOX_INVALID_LOG; + } + /* * CXL r3.1 Section 8.2.9.5.2: Get Log (Opcode 0401h) * The device shall return Invalid Input if the Offset or Length * fields attempt to access beyond the size of the log as reported by Get - * Supported Logs. + * Supported Log. * - * The CEL buffer is large enough to fit all commands in the emulation, so - * the only possible failure would be if the mailbox itself isn't big - * enough. + * Only valid for there to be one entry per opcode, but the length + offset + * may still be greater than that if the inputs are not valid and so access + * beyond the end of cci->cel_log. */ - if (get_log->length > cci->payload_max) { + if ((uint64_t)get_log->offset + get_log->length >= sizeof(cci->cel_log)) { return CXL_MBOX_INVALID_INPUT; } - if (!qemu_uuid_is_equal(&get_log->uuid, &cel_uuid)) { - return CXL_MBOX_INVALID_LOG; - } - /* Store off everything to local variables so we can wipe out the payload */ *len_out = get_log->length; From patchwork Fri Nov 1 13:39:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 13859402 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C897168DA for ; Fri, 1 Nov 2024 13:42:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468579; cv=none; b=d8DDxvBSrTYrofRuelvI93OgWBVHFSWdsnwIvwX/C0WQVN9RNIMZ5G0+oPbt2p4bpmxMdJK7CgJa0NkN5HjJD/0DHkVXUeeppDwy2feoIU6qoiPUuaKbD3EsYVRkLJxBv0bgS9SNqaQq1kcj4K8BVlgteUAHuPNY96aQDOlMyKE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468579; c=relaxed/simple; bh=78nLqkRHRLA9Kgre9+3rlodQa8FHw0kHenFzS9Uzb0A=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=AdPtukMzkASWZklQjbrvaX58BQD6EnqZdJXVUUp8VweaEmAlRNP9vwRJJHJ47AG7L1hCEuolDq19ayDtUyqt4w1rPJEFE1eMg8RsyJ+PPKUBBGO8dNpN5sjb05075AdrS3ghNkbby6xuXtaqWqbcQPsmfNuiJvRwkXNfA8+gpbY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg2493JS6z6LD4f; Fri, 1 Nov 2024 21:38:01 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id 8DF2B1400D3; Fri, 1 Nov 2024 21:42:55 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:42:55 +0100 From: Jonathan Cameron To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd() Date: Fri, 1 Nov 2024 13:39:14 +0000 Message-ID: <20241101133917.27634-8-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> Precedence: bulk X-Mailing-List: linux-cxl@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) If len_in is less than the minimum spec allowed value, then return CXL_MBOX_INVALID_PAYLOAD_LENGTH Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 5e571955b6..a40d81219c 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -151,6 +151,9 @@ static CXLRetCode cmd_tunnel_management_cmd(const struct cxl_cmd *cmd, in = (void *)payload_in; out = (void *)payload_out; + if (len_in < sizeof(*in)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } /* Enough room for minimum sized message - no payload */ if (in->size < sizeof(in->ccimessage)) { return CXL_MBOX_INVALID_PAYLOAD_LENGTH; From patchwork Fri Nov 1 13:39:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 13859403 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F1F016A959 for ; Fri, 1 Nov 2024 13:43:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468610; cv=none; b=MgC2pPUyub5ikUBIjWFTsH6/mnVnljWCkvjkOkzp8915dOxC1f29xD9mlVZt7PLrgHKvlRPX5CDtgWyVGb0+O18qJ5EOtc4sP8+MVRzMJ03d33u22c2yELcMM3zr05KtJo6i2vlmrHx8lrktlPjMI31aG1cmb848dsUbzQ9xloo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468610; c=relaxed/simple; bh=MYtFmoZAjAtf9ddCGzGGnciY3H5F4tp6TxWKnuSjAIw=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=bwxNrwvmf3sT6LB4+tcTf5MfcOyU6DgnthIK7xZlJgLLonT0ifm8e8zSwXzrTG+CWCGKeJOaOJKvECWr0Dxt1a0l2FjG6vVG18QNGve3YHDZQnAO+j7IILeARntCkz4IxDRLODAegPITvfXodrY9RS11B6nJJSzdhKaVXW01OC0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg27V6VWZz6K6l8; Fri, 1 Nov 2024 21:40:54 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id 75F8A1400D3; Fri, 1 Nov 2024 21:43:26 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:43:26 +0100 From: Jonathan Cameron To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes Date: Fri, 1 Nov 2024 13:39:15 +0000 Message-ID: <20241101133917.27634-9-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> Precedence: bulk X-Mailing-List: linux-cxl@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) In cmd_features_set_feature() the an offset + data size schemed is used to allow for large features. Ensure this does not write beyond the end fo the buffers used to accumulate the full feature attribute set. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index a40d81219c..078782e8b9 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1292,6 +1292,11 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd, ps_set_feature = (void *)payload_in; ps_write_attrs = &ps_set_feature->feat_data; + + if ((uint32_t)hdr->offset + bytes_to_copy > + sizeof(ct3d->patrol_scrub_wr_attrs)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } memcpy((uint8_t *)&ct3d->patrol_scrub_wr_attrs + hdr->offset, ps_write_attrs, bytes_to_copy); @@ -1314,6 +1319,11 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd, ecs_set_feature = (void *)payload_in; ecs_write_attrs = ecs_set_feature->feat_data; + + if ((uint32_t)hdr->offset + bytes_to_copy > + sizeof(ct3d->ecs_wr_attrs)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } memcpy((uint8_t *)&ct3d->ecs_wr_attrs + hdr->offset, ecs_write_attrs, bytes_to_copy); From patchwork Fri Nov 1 13:39:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 13859404 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B674168DA for ; Fri, 1 Nov 2024 13:43:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468640; cv=none; b=qL57bXXtSg4YFkCE2R+ipy/QFbpppHTCu1zQ7lkVPUA/t9RM2tcTLIJTgtsObUBGQDfH6iOFEn5BP3SPao+rnnmiFYpRyZEt8XD5CdpAe7C+4hKph/CHDi6M6FtCyCU3tkDLYb575TKnVXz2zpAGlExEXZWLreO1KizZJXxfduA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468640; c=relaxed/simple; bh=PpziNjUypsrUEP/BTIwS+zWycCjSvI6yDAepxjvktyk=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Or9Witjv4IvlXqt7G8pKNK33tJhXjr3drV2avFncR5r18jvmWzf7Q+VeRwlutkEbzwmfIjLAhTmJ3uU7AhgppuyJC1YWdYvqj6CfPaSkazr3B2xyrrlLrDIZNpKRFw0WRzLKYeJofNP8ULM7g3CNcrhyy/bCNJbqfDcS9nzhXKo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg25M2BJVz6LD4k; Fri, 1 Nov 2024 21:39:03 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id 67F0E140B73; Fri, 1 Nov 2024 21:43:57 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:43:56 +0100 From: Jonathan Cameron To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 09/10] hw/cxl: Ensure there is enough data for the header in cmd_ccls_set_lsa() Date: Fri, 1 Nov 2024 13:39:16 +0000 Message-ID: <20241101133917.27634-10-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> Precedence: bulk X-Mailing-List: linux-cxl@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) The properties of the requested set command cannot be established if len_in is less than the size of the header. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 078782e8b9..f4a436e172 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1503,8 +1503,8 @@ static CXLRetCode cmd_ccls_set_lsa(const struct cxl_cmd *cmd, const size_t hdr_len = offsetof(struct set_lsa_pl, data); *len_out = 0; - if (!len_in) { - return CXL_MBOX_SUCCESS; + if (len_in < hdr_len) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; } if (set_lsa_payload->offset + len_in > cvc->get_lsa_size(ct3d) + hdr_len) { From patchwork Fri Nov 1 13:39:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 13859405 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E18B316A959 for ; Fri, 1 Nov 2024 13:44:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468672; cv=none; b=DvTjpM9z9x+mJwP5I7yDZduRcZK9/1A2ehN/E5/Q2Rsw7U1z6fgKIBcJXp0WLyMlYq4OcJ/HCjeUlqUqLMwmXMiGmWdz6vKyz1I+2isZX5Pjrd5EyxUEkFmw9HIsxi4+DIiYrkMalXrprry3TkDK9vwnvFVAFKWN0SRTie8xS8I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730468672; c=relaxed/simple; bh=KQIU6UYB/0Bq9urc8BJlZbdz4T3y4XNWG8oIsiNPUPA=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=QKeOzTcb8bx3SQUEvcQ6FrT9DtC9zhO6da7paPM+Kiea/tnpcOKnttoaC8RFzoaN00Y8IEcvNB7VO8uJCq8ZHRwrTvJSVqUrb6+MZ7nK9niFSnjlRWFZji1gqJcbZtTYRJul+rkG7Qs+vAD4krg3l89tSj4OSiiqgUBa92+FXfE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Xg28j17RQz6K6jJ; Fri, 1 Nov 2024 21:41:57 +0800 (CST) Received: from frapeml500008.china.huawei.com (unknown [7.182.85.71]) by mail.maildlp.com (Postfix) with ESMTPS id AAD391404FC; Fri, 1 Nov 2024 21:44:28 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.19.247) by frapeml500008.china.huawei.com (7.182.85.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 1 Nov 2024 14:44:28 +0100 From: Jonathan Cameron To: , , , Esifiel CC: Fan Ni , Subject: [PATCH qemu 10/10] hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() Date: Fri, 1 Nov 2024 13:39:17 +0000 Message-ID: <20241101133917.27634-11-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> References: <20241101133917.27634-1-Jonathan.Cameron@huawei.com> Precedence: bulk X-Mailing-List: linux-cxl@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To frapeml500008.china.huawei.com (7.182.85.71) If len_in is smaller than the header length then the accessing the number of ports will result in an out of bounds access. Add a check to avoid this. Reported-by: Esifiel Signed-off-by: Jonathan Cameron Reviewed-by: Fan Ni --- hw/cxl/cxl-mailbox-utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index f4a436e172..2d4d62c454 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -530,6 +530,9 @@ static CXLRetCode cmd_get_physical_port_state(const struct cxl_cmd *cmd, in = (struct cxl_fmapi_get_phys_port_state_req_pl *)payload_in; out = (struct cxl_fmapi_get_phys_port_state_resp_pl *)payload_out; + if (len_in < sizeof(*in)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } /* Check if what was requested can fit */ if (sizeof(*out) + sizeof(*out->ports) * in->num_ports > cci->payload_max) { return CXL_MBOX_INVALID_INPUT;