Message ID | 000e69cd163461c8b1bc2cf4155b6e25402c29c7.1678543498.git.lukas@wunner.de (mailing list archive) |
---|---|
State | Handled Elsewhere |
Headers | show |
Series | Collection of DOE material | expand |
On 3/11/23 6:40 AM, Lukas Wunner wrote: > cxl_cdat_get_length() only checks whether the DOE response size is > sufficient for the Table Access response header (1 dword), but not the > succeeding CDAT header (1 dword length plus other fields). > > It thus returns whatever uninitialized memory happens to be on the stack > if a truncated DOE response with only 1 dword was received. Fix it. > > Fixes: c97006046c79 ("cxl/port: Read CDAT table") > Reported-by: Ming Li <ming4.li@intel.com> > Tested-by: Ira Weiny <ira.weiny@intel.com> > Signed-off-by: Lukas Wunner <lukas@wunner.de> > Reviewed-by: Ming Li <ming4.li@intel.com> > Reviewed-by: Dan Williams <dan.j.williams@intel.com> > Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> > Cc: stable@vger.kernel.org # v6.0+ > --- Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> > drivers/cxl/core/pci.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c > index 49a99a84b6aa..87da8c935185 100644 > --- a/drivers/cxl/core/pci.c > +++ b/drivers/cxl/core/pci.c > @@ -510,7 +510,7 @@ static int cxl_cdat_get_length(struct device *dev, > return rc; > } > wait_for_completion(&t.c); > - if (t.task.rv < sizeof(__le32)) > + if (t.task.rv < 2 * sizeof(__le32)) > return -EIO; I think adding a comment about the size requirement would be helpful. But it is up to you. > > *length = le32_to_cpu(t.response_pl[1]);
diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c index 49a99a84b6aa..87da8c935185 100644 --- a/drivers/cxl/core/pci.c +++ b/drivers/cxl/core/pci.c @@ -510,7 +510,7 @@ static int cxl_cdat_get_length(struct device *dev, return rc; } wait_for_completion(&t.c); - if (t.task.rv < sizeof(__le32)) + if (t.task.rv < 2 * sizeof(__le32)) return -EIO; *length = le32_to_cpu(t.response_pl[1]);