diff options
| author | Jonathan Cameron <Jonathan.Cameron@huawei.com> | 2024-11-01 13:39:11 +0000 |
|---|---|---|
| committer | Michael S. Tsirkin <mst@redhat.com> | 2024-11-04 16:03:25 -0500 |
| commit | a3995360aeec62902f045142840c1fd334e9725f (patch) | |
| tree | 963caea53cba84d6861512d8dbbf25b2b6636e36 /hw/cxl/cxl-mailbox-utils.c | |
| parent | f4a12ba66bebfe200d7f56015c1cd5af321ab152 (diff) | |
| download | focaccia-qemu-a3995360aeec62902f045142840c1fd334e9725f.tar.gz focaccia-qemu-a3995360aeec62902f045142840c1fd334e9725f.zip | |
hw/cxl: Check enough data in cmd_firmware_update_transfer()
Buggy guest can write a message that advertises more data that is provided. As QEMU internally duplicates the reported message size, this may result in an out of bounds access. Add sanity checks on the size to avoid this. Reported-by: Esifiel <esifiel@gmail.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Message-Id: <20241101133917.27634-5-Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'hw/cxl/cxl-mailbox-utils.c')
| -rw-r--r-- | hw/cxl/cxl-mailbox-utils.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 3cb499a24f..27fadc4fa8 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -705,6 +705,10 @@ static CXLRetCode cmd_firmware_update_transfer(const struct cxl_cmd *cmd, } QEMU_PACKED *fw_transfer = (void *)payload_in; size_t offset, length; + if (len < sizeof(*fw_transfer)) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + if (fw_transfer->action == CXL_FW_XFER_ACTION_ABORT) { /* * At this point there aren't any on-going transfers |