Message ID | 20241101133917.27634-6-Jonathan.Cameron@huawei.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | hw/cxl: Mailbox input parser hardening against invalid input. | expand |
On Fri, Nov 01, 2024 at 01:39:12PM +0000, Jonathan Cameron wrote: > Checking offset + length is of no relevance when verifying the CEL > data will fit in the mailbox payload. Only the length is is relevant. s/is is/is/ > > Note that this removes a potential overflow. > > Reported-by: Esifiel <esifiel@gmail.com> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> > --- > hw/cxl/cxl-mailbox-utils.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c > index 27fadc4fa8..2aa7ffed84 100644 > --- a/hw/cxl/cxl-mailbox-utils.c > +++ b/hw/cxl/cxl-mailbox-utils.c > @@ -947,7 +947,7 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd *cmd, > * the only possible failure would be if the mailbox itself isn't big > * enough. > */ > - if (get_log->offset + get_log->length > cci->payload_max) { > + if (get_log->length > cci->payload_max) { If offset is beyond the size of cel_log, will it be a problem? There is a comment just above saying " * The CEL buffer is large enough to fit all commands in the emulation, so * the only possible failure would be if the mailbox itself isn't big * enough. " Not sure how it avoids the case when the offset is too large. Fan > return CXL_MBOX_INVALID_INPUT; > } > > -- > 2.43.0 >
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 27fadc4fa8..2aa7ffed84 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -947,7 +947,7 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd *cmd, * the only possible failure would be if the mailbox itself isn't big * enough. */ - if (get_log->offset + get_log->length > cci->payload_max) { + if (get_log->length > cci->payload_max) { return CXL_MBOX_INVALID_INPUT; }
Checking offset + length is of no relevance when verifying the CEL data will fit in the mailbox payload. Only the length is is relevant. Note that this removes a potential overflow. Reported-by: Esifiel <esifiel@gmail.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> --- hw/cxl/cxl-mailbox-utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)