From: Aaron Esau <aaron1esau@gmail.com>
To: qemu-devel@nongnu.org
Cc: Jonathan.Cameron@huawei.com, jic23@kernel.org,
berrange@redhat.com, Aaron Esau <aaron1esau@gmail.com>,
qemu-stable@nongnu.org
Subject: [PATCH 1/2] hw/cxl: fix OOB read in Get Log command due to incorrect pointer arithmetic
Date: Thu, 16 Apr 2026 15:07:01 -0500 [thread overview]
Message-ID: <20260416200702.2374709-2-git@aaronesau.com> (raw)
In-Reply-To: <20260416200702.2374709-1-git@aaronesau.com>
From: Aaron Esau <aaron1esau@gmail.com>
The memmove in cmd_logs_get_log() uses cci->cel_log + get_log->offset,
which performs pointer arithmetic in units of sizeof(struct cel_log)
(4 bytes per element). However, per CXL r3.1 Section 8.2.9.5.2, the
offset field is a byte offset into the log.
The existing bounds check correctly treats offset as a byte value:
(uint64_t)get_log->offset + get_log->length >= sizeof(cci->cel_log)
But the memmove reads from a position that is get_log->offset *
sizeof(cel_log[0]) bytes past the start, which can be well beyond the
array even when the bounds check passes. For example, offset=65536 and
length=512 passes the check (66048 < sizeof(cel_log)) but the memmove
reads from byte 262144 past cel_log, leaking adjacent heap data.
Fix by casting to uint8_t * before adding the byte offset, matching the
semantics assumed by the bounds check.
Cc: qemu-stable@nongnu.org
Fixes: 056172691b ("hw/cxl/device: Add log commands (8.2.9.4) + CEL")
Reported-by: Aaron Esau <aaron1esau@gmail.com>
Signed-off-by: Aaron Esau <aaron1esau@gmail.com>
---
hw/cxl/cxl-mailbox-utils.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index d8ba7e8625..0adf1e72c8 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -1217,7 +1217,8 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd *cmd,
/* Store off everything to local variables so we can wipe out the payload */
*len_out = get_log->length;
- memmove(payload_out, cci->cel_log + get_log->offset, get_log->length);
+ memmove(payload_out, (uint8_t *)cci->cel_log + get_log->offset,
+ get_log->length);
return CXL_MBOX_SUCCESS;
}
--
2.53.0
next prev parent reply other threads:[~2026-04-16 22:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 20:07 [PATCH 0/2] hw/cxl: Fix two OOB access bugs in CXL mailbox commands Aaron Esau
2026-04-16 20:07 ` Aaron Esau [this message]
2026-05-13 6:35 ` [PATCH 1/2] hw/cxl: fix OOB read in Get Log command due to incorrect pointer arithmetic Michael Tokarev
2026-05-13 21:41 ` Aaron Esau
2026-04-16 20:07 ` [PATCH 2/2] hw/cxl: add missing bounds checks in Set Feature for PPR and sparing Aaron Esau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260416200702.2374709-2-git@aaronesau.com \
--to=aaron1esau@gmail.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=berrange@redhat.com \
--cc=jic23@kernel.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.