| Message ID | 20230914070635.1141840-1-frolov@swemel.ru (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v3] hw/cxl: Fix out of bound array access | expand |
14.09.2023 10:06, Dmitry Frolov wrote: > According to cxl_interleave_ways_enc(), fw->num_targets is allowed to be up > to 16. This also corresponds to CXL specs. So, the fw->target_hbs[] array > is iterated from 0 to 15. But it is statically declared of length 8. Thus, > out of bound array access may occur. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > v2: assert added > v3: assert removed So it's the same as the initial submission. /mjt
diff --git a/include/hw/cxl/cxl.h b/include/hw/cxl/cxl.h index 56c9e7676e..4944725849 100644 --- a/include/hw/cxl/cxl.h +++ b/include/hw/cxl/cxl.h @@ -29,7 +29,7 @@ typedef struct PXBCXLDev PXBCXLDev; typedef struct CXLFixedWindow { uint64_t size; char **targets; - PXBCXLDev *target_hbs[8]; + PXBCXLDev *target_hbs[16]; uint8_t num_targets; uint8_t enc_int_ways; uint8_t enc_int_gran;
According to cxl_interleave_ways_enc(), fw->num_targets is allowed to be up to 16. This also corresponds to CXL specs. So, the fw->target_hbs[] array is iterated from 0 to 15. But it is statically declared of length 8. Thus, out of bound array access may occur. Found by Linux Verification Center (linuxtesting.org) with SVACE. v2: assert added v3: assert removed Fixes: c28db9e000 ("hw/pci-bridge: Make PCIe and CXL PXB Devices inherit from TYPE_PXB_DEV") Signed-off-by: Dmitry Frolov <frolov@swemel.ru> --- include/hw/cxl/cxl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)