qemu/hw-cxl-Ensure-there-is-enough-data-for-the-header-in.patch

From 830009038a73e496598c26679b7e30d7e931a1cf Mon Sep 17 00:00:00 2001
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Date: Fri, 1 Nov 2024 13:39:16 +0000
Subject: [PATCH] hw/cxl: Ensure there is enough data for the header in
 cmd_ccls_set_lsa()

The properties of the requested set command cannot be established if
len_in is less than the size of the header.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20241101133917.27634-10-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
---
 hw/cxl/cxl-mailbox-utils.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 6eff56fb1b..9f2304389b 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -897,8 +897,8 @@ static CXLRetCode cmd_ccls_set_lsa(const struct cxl_cmd *cmd,
     const size_t hdr_len = offsetof(struct set_lsa_pl, data);
 
     *len_out = 0;
-    if (!len_in) {
-        return CXL_MBOX_SUCCESS;
+    if (len_in < hdr_len) {
+        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
     }
 
     if (set_lsa_payload->offset + len_in > cvc->get_lsa_size(ct3d) + hdr_len) {
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-25: - hw/arm/virt:Keep Guest L1 cache type consistent with KVM - cvm : Add support for TEE-based national encryption acceleration. - Add virtCCA Coda annotation Adjust the position of the security device - target/i386: sev: Add support for reuse ASID for different CSV guests - target/i386: sev: Fix incompatibility between SEV and CSV on the GET_ID API - hw/cxl: Ensure there is enough data for the header in cmd_ccls_set_lsa() - hw/pci: Add parenthesis to PCI_BUILD_BDF macro - hw/audio/hda: free timer on exit - meson.build: Remove ncurses workaround for OpenBSD - ui/console-vc: Silence warning about sprintf() on OpenBSD - ui: remove break after g_assert_not_reached() - s390x/sclp: Simplify get_sclp_device() - hw/vfio/hct: qemu startup terminate once error happened in hct - hw/vfio/hct: fix ccp_index error caused by uninitialized buf - hw/vfio/hct: update support ccp count to 48. - hw/vfio: add device hct based on vfio. Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit 702a9cc4e262a50f7aa6f7c9549fbc13d4cd0770) 2024-11-30 08:43:54 +08:00			`From 830009038a73e496598c26679b7e30d7e931a1cf Mon Sep 17 00:00:00 2001`
			`From: Jonathan Cameron <Jonathan.Cameron@huawei.com>`
			`Date: Fri, 1 Nov 2024 13:39:16 +0000`
			`Subject: [PATCH] hw/cxl: Ensure there is enough data for the header in`
			`cmd_ccls_set_lsa()`

			`The properties of the requested set command cannot be established if`
			`len_in is less than the size of the header.`

			`Reported-by: Esifiel <esifiel@gmail.com>`
			`Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>`
			`Message-Id: <20241101133917.27634-10-Jonathan.Cameron@huawei.com>`
			`Reviewed-by: Michael S. Tsirkin <mst@redhat.com>`
			`Signed-off-by: Michael S. Tsirkin <mst@redhat.com>`
			`Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>`
			`---`
			`hw/cxl/cxl-mailbox-utils.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c`
			`index 6eff56fb1b..9f2304389b 100644`
			`--- a/hw/cxl/cxl-mailbox-utils.c`
			`+++ b/hw/cxl/cxl-mailbox-utils.c`
			`@@ -897,8 +897,8 @@ static CXLRetCode cmd_ccls_set_lsa(const struct cxl_cmd *cmd,`
			`const size_t hdr_len = offsetof(struct set_lsa_pl, data);`

			`*len_out = 0;`
			`- if (!len_in) {`
			`- return CXL_MBOX_SUCCESS;`
			`+ if (len_in < hdr_len) {`
			`+ return CXL_MBOX_INVALID_PAYLOAD_LENGTH;`
			`}`

			`if (set_lsa_payload->offset + len_in > cvc->get_lsa_size(ct3d) + hdr_len) {`
			`--`
			`2.41.0.windows.1`