| Message ID | 20241101133917.27634-1-Jonathan.Cameron@huawei.com |
|---|---|
| Headers | show |
| Series | hw/cxl: Mailbox input parser hardening against invalid input. | expand |
On Fri, 1 Nov 2024 13:39:07 +0000 Jonathan Cameron <Jonathan.Cameron@huawei.com> wrote: > The CXL device mailbox has some variable sized input commands. The payload > length for each must be established using command especific structures. > > If user space is either buggy or malicious, it may use size fields to > indicate fields beyond the end of the payload sent. Some checks on this > were missing and Esifiel picked up on this. I've tagged all these fixes > with Esifiel's Reported-by as either they were in the report or are similar > issues in other commands. > > These can mostly be easily tested by using the raw mailbox commands option > in Linux and injecting broken commands from user space. > > A typical command needs to first check that there is enough data to get to > the command specific sizing fields, then check the reported size is less > than or equal to the available payload. > > Note that I think it very unlikely anyone is currently using CXL emulation > with a VM that they do not trust, but that may happen in future so good to > fix these paths now. Sorry, forgot to list dependencies. Based-on: [PATCH 0/7] hw/cxl: Round up of fixes. Based-on: [PATCH qemu 0/2] hw/cxl: Misc fixes Based-on: Message-id: 20241014121902.2146424-1-Jonathan.Cameron@huawei.com Based-on; message-id: 20241101132005.26633-1-Jonathan.Cameron@huawei.com > > Jonathan Cameron (10): > hw/cxl: Check size of input data to dynamic capacity mailbox commands > hw/cxl: Check input includes at least the header in > cmd_features_set_feature() > hw/cxl: Check input length is large enough in > cmd_events_clear_records() > hw/cxl: Check enough data in cmd_firmware_update_transfer() > hw/cxl: Check the length of data requested fits in get_log() > hw/cxl: Avoid accesses beyond the end of cel_log. > hw/cxl: Ensuring enough data to read parameters in > cmd_tunnel_management_cmd() > hw/cxl: Check that writes do not go beyond end of target attributes > hw/cxl: Ensure there is enough data for the header in > cmd_ccls_set_lsa() > hw/cxl: Ensure there is enough data to read the input header in > cmd_get_physical_port_state() > > hw/cxl/cxl-mailbox-utils.c | 73 ++++++++++++++++++++++++++++++++------ > 1 file changed, 62 insertions(+), 11 deletions(-) >
The CXL device mailbox has some variable sized input commands. The payload length for each must be established using command especific structures. If user space is either buggy or malicious, it may use size fields to indicate fields beyond the end of the payload sent. Some checks on this were missing and Esifiel picked up on this. I've tagged all these fixes with Esifiel's Reported-by as either they were in the report or are similar issues in other commands. These can mostly be easily tested by using the raw mailbox commands option in Linux and injecting broken commands from user space. A typical command needs to first check that there is enough data to get to the command specific sizing fields, then check the reported size is less than or equal to the available payload. Note that I think it very unlikely anyone is currently using CXL emulation with a VM that they do not trust, but that may happen in future so good to fix these paths now. Jonathan Cameron (10): hw/cxl: Check size of input data to dynamic capacity mailbox commands hw/cxl: Check input includes at least the header in cmd_features_set_feature() hw/cxl: Check input length is large enough in cmd_events_clear_records() hw/cxl: Check enough data in cmd_firmware_update_transfer() hw/cxl: Check the length of data requested fits in get_log() hw/cxl: Avoid accesses beyond the end of cel_log. hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd() hw/cxl: Check that writes do not go beyond end of target attributes hw/cxl: Ensure there is enough data for the header in cmd_ccls_set_lsa() hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() hw/cxl/cxl-mailbox-utils.c | 73 ++++++++++++++++++++++++++++++++------ 1 file changed, 62 insertions(+), 11 deletions(-)