[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of
|
From: |
Fan Ni |
|
Subject: |
Re: [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes |
|
Date: |
Tue, 5 Nov 2024 13:32:10 -0800 |
On Fri, Nov 01, 2024 at 01:39:15PM +0000, Jonathan Cameron wrote:
> In cmd_features_set_feature() the an offset + data size schemed
Not 100% sure if I get it right, but s/the an/the/.
> is used to allow for large features. Ensure this does not write
> beyond the end fo the buffers used to accumulate the full feature
s/fo/of/
> attribute set.
Other than that,
Reviewed-by: Fan Ni <fan.ni@samsung.com>
>
> Reported-by: Esifiel <esifiel@gmail.com>
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---
> hw/cxl/cxl-mailbox-utils.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> index a40d81219c..078782e8b9 100644
> --- a/hw/cxl/cxl-mailbox-utils.c
> +++ b/hw/cxl/cxl-mailbox-utils.c
> @@ -1292,6 +1292,11 @@ static CXLRetCode cmd_features_set_feature(const
> struct cxl_cmd *cmd,
>
> ps_set_feature = (void *)payload_in;
> ps_write_attrs = &ps_set_feature->feat_data;
> +
> + if ((uint32_t)hdr->offset + bytes_to_copy >
> + sizeof(ct3d->patrol_scrub_wr_attrs)) {
> + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> + }
> memcpy((uint8_t *)&ct3d->patrol_scrub_wr_attrs + hdr->offset,
> ps_write_attrs,
> bytes_to_copy);
> @@ -1314,6 +1319,11 @@ static CXLRetCode cmd_features_set_feature(const
> struct cxl_cmd *cmd,
>
> ecs_set_feature = (void *)payload_in;
> ecs_write_attrs = ecs_set_feature->feat_data;
> +
> + if ((uint32_t)hdr->offset + bytes_to_copy >
> + sizeof(ct3d->ecs_wr_attrs)) {
> + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> + }
> memcpy((uint8_t *)&ct3d->ecs_wr_attrs + hdr->offset,
> ecs_write_attrs,
> bytes_to_copy);
> --
> 2.43.0
>
--
Fan Ni
- Re: [PATCH qemu 03/10] hw/cxl: Check input length is large enough in cmd_events_clear_records(), (continued)
- [PATCH qemu 04/10] hw/cxl: Check enough data in cmd_firmware_update_transfer(), Jonathan Cameron, 2024/11/01
- [PATCH qemu 05/10] hw/cxl: Check the length of data requested fits in get_log(), Jonathan Cameron, 2024/11/01
- [PATCH qemu 06/10] hw/cxl: Avoid accesses beyond the end of cel_log., Jonathan Cameron, 2024/11/01
- [PATCH qemu 07/10] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd(), Jonathan Cameron, 2024/11/01
- [PATCH qemu 08/10] hw/cxl: Check that writes do not go beyond end of target attributes, Jonathan Cameron, 2024/11/01
- [PATCH qemu 09/10] hw/cxl: Ensure there is enough data for the header in cmd_ccls_set_lsa(), Jonathan Cameron, 2024/11/01
- [PATCH qemu 10/10] hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state(), Jonathan Cameron, 2024/11/01
- Re: [PATCH qemu 00/10] hw/cxl: Mailbox input parser hardening against invalid input., Jonathan Cameron, 2024/11/01