[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log.
|
From: |
Jonathan Cameron |
|
Subject: |
[PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log. |
|
Date: |
Fri, 1 Nov 2024 13:39:13 +0000 |
Add a check that the requested offset + length does not go beyond the end
of the cel_log.
Whilst the cci->cel_log is large enough to include all possible CEL
entries, the guest might still ask for entries beyond the end of it.
Move the comment to this new check rather than before the check on the
type of log requested.
Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
hw/cxl/cxl-mailbox-utils.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 2aa7ffed84..5e571955b6 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -937,24 +937,28 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd
*cmd,
get_log = (void *)payload_in;
+ if (get_log->length > cci->payload_max) {
+ return CXL_MBOX_INVALID_INPUT;
+ }
+
+ if (!qemu_uuid_is_equal(&get_log->uuid, &cel_uuid)) {
+ return CXL_MBOX_INVALID_LOG;
+ }
+
/*
* CXL r3.1 Section 8.2.9.5.2: Get Log (Opcode 0401h)
* The device shall return Invalid Input if the Offset or Length
* fields attempt to access beyond the size of the log as reported by Get
- * Supported Logs.
+ * Supported Log.
*
- * The CEL buffer is large enough to fit all commands in the emulation, so
- * the only possible failure would be if the mailbox itself isn't big
- * enough.
+ * Only valid for there to be one entry per opcode, but the length + offset
+ * may still be greater than that if the inputs are not valid and so access
+ * beyond the end of cci->cel_log.
*/
- if (get_log->length > cci->payload_max) {
+ if ((uint64_t)get_log->offset + get_log->length >= sizeof(cci->cel_log)) {
return CXL_MBOX_INVALID_INPUT;
}
- if (!qemu_uuid_is_equal(&get_log->uuid, &cel_uuid)) {
- return CXL_MBOX_INVALID_LOG;
- }
-
/* Store off everything to local variables so we can wipe out the payload
*/
*len_out = get_log->length;
--
2.43.0
- [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands, (continued)
- [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands, Jonathan Cameron, 2024/11/01
- [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature(), Jonathan Cameron, 2024/11/01
- [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records(), Jonathan Cameron, 2024/11/01
- [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer(), Jonathan Cameron, 2024/11/01
- [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log(), Jonathan Cameron, 2024/11/01
- [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log.,
Jonathan Cameron <=
- [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd(), Jonathan Cameron, 2024/11/01
- [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes, Jonathan Cameron, 2024/11/01
- [PATCH qemu 09/10] hw/cxl: Ensure there is enough data for the header in cmd_ccls_set_lsa(), Jonathan Cameron, 2024/11/01
- [PATCH qemu 10/10] hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state(), Jonathan Cameron, 2024/11/01