7a16948063
- ppc/xive: Fix ESB length overflow on 32-bit hosts - target/hppa: Fix PSW V-bit packaging in cpu_hppa_get for hppa64 - target/ppc: Fix migration of CPUs with TLB_EMB TLB type - target/arm: Clear high SVE elements in handle_vec_simd_wshli - module: Prevent crash by resetting local_err in module_load_qom_all() - tests/docker: update debian i686 and mipsel images to bookworm - target/arm: Fix SVE SDOT/UDOT/USDOT (4-way, indexed) - docs/sphinx/depfile.py: Handle env.doc2path() returning a Path not a str - block/blkio: use FUA flag on write zeroes only if supported - virtio-pci: Fix the use of an uninitialized irqfd - hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() - intel_iommu: Send IQE event when setting reserved bit in IQT_TAIL - virtio-net: Avoid indirection_table_mask overflow - Fix calculation of minimum in colo_compare_tcp - target/riscv/csr.c: Fix an access to VXSAT - linux-user: Clean up unused header - raw-format: Fix error message for invalid offset/size - hw/loongarch/virt: Remove unnecessary 'cpu.h' inclusion - tests: Wait for migration completion on destination QEMU to avoid failures - acpi: ged: Add macro for acpi sleep control register - hw/intc/openpic: Improve errors for out of bounds property values - hw/pci-bridge: Add a Kconfig switch for the normal PCI bridge - docs/tools/qemu-img.rst: fix typo (sumarizes) - audio/pw: Report more accurate error when connecting to PipeWire fails - audio/pw: Report more accurate error when connecting to PipeWire fails - dma: Fix function names in documentation Ensure the function names match. - edu: fix DMA range upper bound check - platform-bus: fix refcount leak - hw/net/can/sja1000: fix bug for single acceptance filter and standard frame - tests/avocado: fix typo in replay_linux - util/userfaultfd: Remove unused uffd_poll_events - Consider discard option when writing zeros - crypto: factor out conversion of QAPI to gcrypt constants - crypto: drop gnutls debug logging support - crypto: use consistent error reporting pattern for unsupported cipher modes - hw/gpio/aspeed_gpio: Avoid shift into sign bit Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit b6e04df301d30895427ab41a1edff0f40149bdd9)
38 lines
1.5 KiB
Diff
38 lines
1.5 KiB
Diff
From d96c34e132df55ca7be458095f23d81dfc14e0d5 Mon Sep 17 00:00:00 2001
|
|
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
|
|
Date: Fri, 1 Nov 2024 13:39:17 +0000
|
|
Subject: [PATCH] hw/cxl: Ensure there is enough data to read the input header
|
|
in cmd_get_physical_port_state()
|
|
|
|
If len_in is smaller than the header length then the accessing the
|
|
number of ports will result in an out of bounds access.
|
|
Add a check to avoid this.
|
|
|
|
Reported-by: Esifiel <esifiel@gmail.com>
|
|
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
|
|
Message-Id: <20241101133917.27634-11-Jonathan.Cameron@huawei.com>
|
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
|
|
---
|
|
hw/cxl/cxl-mailbox-utils.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
|
|
index 6eff56fb1b..11a26525a2 100644
|
|
--- a/hw/cxl/cxl-mailbox-utils.c
|
|
+++ b/hw/cxl/cxl-mailbox-utils.c
|
|
@@ -505,6 +505,9 @@ static CXLRetCode cmd_get_physical_port_state(const struct cxl_cmd *cmd,
|
|
in = (struct cxl_fmapi_get_phys_port_state_req_pl *)payload_in;
|
|
out = (struct cxl_fmapi_get_phys_port_state_resp_pl *)payload_out;
|
|
|
|
+ if (len_in < sizeof(*in)) {
|
|
+ return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
|
|
+ }
|
|
/* Check if what was requested can fit */
|
|
if (sizeof(*out) + sizeof(*out->ports) * in->num_ports > cci->payload_max) {
|
|
return CXL_MBOX_INVALID_INPUT;
|
|
--
|
|
2.41.0.windows.1
|
|
|