[PATCH qemu 02/10] hw/cxl: Check input includes at least the header in c

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH qemu 02/10] hw/cxl: Check input includes at least the header in c

From:	Jonathan Cameron
Subject:	[PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature()
Date:	Fri, 1 Nov 2024 13:39:09 +0000

A buggy guest might write an insufficiently large message.
Check the header is present. Whilst zero data after the header is very
odd it will just result in failure to copy any data.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 17924410dd..e63140aefe 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -1238,6 +1238,9 @@ static CXLRetCode cmd_features_set_feature(const struct 
cxl_cmd *cmd,
     CXLType3Dev *ct3d;
     uint16_t count;
 
+    if (len_in < sizeof(*hdr)) {
+        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
+    }
 
     if (!object_dynamic_cast(OBJECT(cci->d), TYPE_CXL_TYPE3)) {
         return CXL_MBOX_UNSUPPORTED;
-- 
2.43.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input., Jonathan Cameron, 2024/11/01
- [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands, Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands, Fan Ni, 2024/11/05
- [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature(), Jonathan Cameron <=
  - Re: [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature(), Fan Ni, 2024/11/05
- [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records(), Fan Ni, 2024/11/05
- [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer(), Fan Ni, 2024/11/05
- [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log(), Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log(), Fan Ni, 2024/11/05
- [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log., Jonathan Cameron, 2024/11/01
  - Re: [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log., Fan Ni, 2024/11/05
- [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd(), Jonathan Cameron, 2024/11/01

Prev by Date: Re: [PULL 00/50] riscv-to-apply queue
Next by Date: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records()
Previous by thread: Re: [PATCH qemu 01/10] hw/cxl: Check size of input data to dynamic capacity mailbox commands
Next by thread: Re: [PATCH qemu 02/10] hw/cxl: Check input includes at least the header in cmd_features_set_feature()
Index(es):
- Date
- Thread