qemu/hw-cxl-Ensure-there-is-enough-data-to-read-the-input.patch

From d96c34e132df55ca7be458095f23d81dfc14e0d5 Mon Sep 17 00:00:00 2001
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Date: Fri, 1 Nov 2024 13:39:17 +0000
Subject: [PATCH] hw/cxl: Ensure there is enough data to read the input header
 in cmd_get_physical_port_state()

If len_in is smaller than the header length then the accessing the
number of ports will result in an out of bounds access.
Add a check to avoid this.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20241101133917.27634-11-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
---
 hw/cxl/cxl-mailbox-utils.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 6eff56fb1b..11a26525a2 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -505,6 +505,9 @@ static CXLRetCode cmd_get_physical_port_state(const struct cxl_cmd *cmd,
     in = (struct cxl_fmapi_get_phys_port_state_req_pl *)payload_in;
     out = (struct cxl_fmapi_get_phys_port_state_resp_pl *)payload_out;
 
+    if (len_in < sizeof(*in)) {
+        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
+    }
     /* Check if what was requested can fit */
     if (sizeof(*out) + sizeof(*out->ports) * in->num_ports > cci->payload_max) {
         return CXL_MBOX_INVALID_INPUT;
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-24: - ppc/xive: Fix ESB length overflow on 32-bit hosts - target/hppa: Fix PSW V-bit packaging in cpu_hppa_get for hppa64 - target/ppc: Fix migration of CPUs with TLB_EMB TLB type - target/arm: Clear high SVE elements in handle_vec_simd_wshli - module: Prevent crash by resetting local_err in module_load_qom_all() - tests/docker: update debian i686 and mipsel images to bookworm - target/arm: Fix SVE SDOT/UDOT/USDOT (4-way, indexed) - docs/sphinx/depfile.py: Handle env.doc2path() returning a Path not a str - block/blkio: use FUA flag on write zeroes only if supported - virtio-pci: Fix the use of an uninitialized irqfd - hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() - intel_iommu: Send IQE event when setting reserved bit in IQT_TAIL - virtio-net: Avoid indirection_table_mask overflow - Fix calculation of minimum in colo_compare_tcp - target/riscv/csr.c: Fix an access to VXSAT - linux-user: Clean up unused header - raw-format: Fix error message for invalid offset/size - hw/loongarch/virt: Remove unnecessary 'cpu.h' inclusion - tests: Wait for migration completion on destination QEMU to avoid failures - acpi: ged: Add macro for acpi sleep control register - hw/intc/openpic: Improve errors for out of bounds property values - hw/pci-bridge: Add a Kconfig switch for the normal PCI bridge - docs/tools/qemu-img.rst: fix typo (sumarizes) - audio/pw: Report more accurate error when connecting to PipeWire fails - audio/pw: Report more accurate error when connecting to PipeWire fails - dma: Fix function names in documentation Ensure the function names match. - edu: fix DMA range upper bound check - platform-bus: fix refcount leak - hw/net/can/sja1000: fix bug for single acceptance filter and standard frame - tests/avocado: fix typo in replay_linux - util/userfaultfd: Remove unused uffd_poll_events - Consider discard option when writing zeros - crypto: factor out conversion of QAPI to gcrypt constants - crypto: drop gnutls debug logging support - crypto: use consistent error reporting pattern for unsupported cipher modes - hw/gpio/aspeed_gpio: Avoid shift into sign bit Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit b6e04df301d30895427ab41a1edff0f40149bdd9) 2024-11-30 08:36:49 +08:00			`From d96c34e132df55ca7be458095f23d81dfc14e0d5 Mon Sep 17 00:00:00 2001`
			`From: Jonathan Cameron <Jonathan.Cameron@huawei.com>`
			`Date: Fri, 1 Nov 2024 13:39:17 +0000`
			`Subject: [PATCH] hw/cxl: Ensure there is enough data to read the input header`
			`in cmd_get_physical_port_state()`

			`If len_in is smaller than the header length then the accessing the`
			`number of ports will result in an out of bounds access.`
			`Add a check to avoid this.`

			`Reported-by: Esifiel <esifiel@gmail.com>`
			`Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>`
			`Message-Id: <20241101133917.27634-11-Jonathan.Cameron@huawei.com>`
			`Reviewed-by: Michael S. Tsirkin <mst@redhat.com>`
			`Signed-off-by: Michael S. Tsirkin <mst@redhat.com>`
			`Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>`
			`---`
			`hw/cxl/cxl-mailbox-utils.c \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c`
			`index 6eff56fb1b..11a26525a2 100644`
			`--- a/hw/cxl/cxl-mailbox-utils.c`
			`+++ b/hw/cxl/cxl-mailbox-utils.c`
			`@@ -505,6 +505,9 @@ static CXLRetCode cmd_get_physical_port_state(const struct cxl_cmd *cmd,`
			`in = (struct cxl_fmapi_get_phys_port_state_req_pl *)payload_in;`
			`out = (struct cxl_fmapi_get_phys_port_state_resp_pl *)payload_out;`

			`+ if (len_in < sizeof(*in)) {`
			`+ return CXL_MBOX_INVALID_PAYLOAD_LENGTH;`
			`+ }`
			`/* Check if what was requested can fit */`
			`if (sizeof(out) + sizeof(out->ports) * in->num_ports > cci->payload_max) {`
			`return CXL_MBOX_INVALID_INPUT;`
			`--`
			`2.41.0.windows.1`