[PATCH v2] cxl/test: Verify cmd->size_in before accessing payload

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] cxl/test: Verify cmd->size_in before accessing payload
@ 2026-06-05 18:15 Dave Jiang
  2026-06-05 18:32 ` sashiko-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Dave Jiang @ 2026-06-05 18:15 UTC (permalink / raw)
  To: linux-cxl; +Cc: dave, jic23, alison.schofield, djbw, sam.moelius

Pre-existing issue discovered by sashiko-bot.

Add a check for cmd->size_in before accessing the payload. This prevents
potential dereferencing of a null pointer if size_in is zero.

Fixes: 7d3eb23c4ccf ("tools/testing/cxl: Introduce a mock memory device + driver")
Fixes: d1dca858f058 ("cxl/test: Add generic mock events")
Fixes: f6448cb5f2f3 ("tools/testing/cxl: add firmware update emulation to CXL memdevs")
Fixes: e77e9c107978 ("cxl/test: Add Get Feature support to cxl_test")
Link: https://lore.kernel.org/linux-cxl/20260605143748.235271F00893@smtp.kernel.org/
Suggested-by: sashiko-bot
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
---
v2:
Change compare to 0 to payload size. (sashiko)
---
 tools/testing/cxl/test/mem.c | 39 +++++++++++++++++++++++++++---------
 1 file changed, 30 insertions(+), 9 deletions(-)

diff --git a/tools/testing/cxl/test/mem.c b/tools/testing/cxl/test/mem.c
index 271c7ad8cc32..2e9a5f151e98 100644
--- a/tools/testing/cxl/test/mem.c
+++ b/tools/testing/cxl/test/mem.c
@@ -312,12 +312,17 @@ static int mock_get_event(struct device *dev, struct cxl_mbox_cmd *cmd)
 
 static int mock_clear_event(struct device *dev, struct cxl_mbox_cmd *cmd)
 {
-	struct cxl_mbox_clear_event_payload *pl = cmd->payload_in;
+	struct cxl_mbox_clear_event_payload *pl;
 	struct mock_event_log *log;
-	u8 log_type = pl->event_log;
+	u8 log_type;
 	u16 handle;
 	int nr;
 
+	if (cmd->size_in < sizeof(*pl))
+		return -EINVAL;
+
+	pl = cmd->payload_in;
+	log_type = pl->event_log;
 	if (log_type >= CXL_EVENT_TYPE_MAX)
 		return -EINVAL;
 
@@ -574,14 +579,19 @@ static int mock_gsl(struct cxl_mbox_cmd *cmd)
 static int mock_get_log(struct cxl_memdev_state *mds, struct cxl_mbox_cmd *cmd)
 {
 	struct cxl_mailbox *cxl_mbox = &mds->cxlds.cxl_mbox;
-	struct cxl_mbox_get_log *gl = cmd->payload_in;
-	u32 offset = le32_to_cpu(gl->offset);
-	u32 length = le32_to_cpu(gl->length);
 	uuid_t uuid = DEFINE_CXL_CEL_UUID;
+	struct cxl_mbox_get_log *gl;
 	void *data = &mock_cel;
+	u32 offset;
+	u32 length;
 
 	if (cmd->size_in < sizeof(*gl))
 		return -EINVAL;
+
+	gl = cmd->payload_in;
+	offset = le32_to_cpu(gl->offset);
+	length = le32_to_cpu(gl->length);
+
 	if (length > cxl_mbox->payload_size)
 		return -EINVAL;
 	if (offset + length > sizeof(mock_cel))
@@ -1336,10 +1346,14 @@ static int mock_fw_info(struct cxl_mockmem_data *mdata,
 static int mock_transfer_fw(struct cxl_mockmem_data *mdata,
 			    struct cxl_mbox_cmd *cmd)
 {
-	struct cxl_mbox_transfer_fw *transfer = cmd->payload_in;
+	struct cxl_mbox_transfer_fw *transfer;
 	void *fw = mdata->fw;
 	size_t offset, length;
 
+	if (cmd->size_in < sizeof(*transfer))
+		return -EINVAL;
+
+	transfer = cmd->payload_in;
 	offset = le32_to_cpu(transfer->offset) * CXL_FW_TRANSFER_ALIGNMENT;
 	length = cmd->size_in - sizeof(*transfer);
 	if (offset + length > FW_SIZE)
@@ -1415,11 +1429,18 @@ static int mock_get_test_feature(struct cxl_mockmem_data *mdata,
 				 struct cxl_mbox_cmd *cmd)
 {
 	struct vendor_test_feat *output = cmd->payload_out;
-	struct cxl_mbox_get_feat_in *input = cmd->payload_in;
-	u16 offset = le16_to_cpu(input->offset);
-	u16 count = le16_to_cpu(input->count);
+	struct cxl_mbox_get_feat_in *input;
+	u16 offset;
+	u16 count;
 	u8 *ptr;
 
+	if (cmd->size_in < sizeof(*input))
+		return -EINVAL;
+
+	input = cmd->payload_in;
+	offset = le16_to_cpu(input->offset);
+	count = le16_to_cpu(input->count);
+
 	if (offset > sizeof(*output)) {
 		cmd->return_code = CXL_MBOX_CMD_RC_INPUT;
 		return -EINVAL;

base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] cxl/test: Verify cmd->size_in before accessing payload
  2026-06-05 18:15 [PATCH v2] cxl/test: Verify cmd->size_in before accessing payload Dave Jiang
@ 2026-06-05 18:32 ` sashiko-bot
  0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-05 18:32 UTC (permalink / raw)
  To: Dave Jiang; +Cc: linux-cxl

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

Pre-existing issues:
- [High] Incomplete bounds check in mock_clear_event leads to an out-of-bounds read vulnerability.
- [High] NULL pointer dereferences in mock feature handlers due to bounds checks being placed too late or missing entirely.
- [High] Out-of-bounds write on the heap in mock handlers due to missing or inadequate output bounds validation.
- [High] Integer overflow in mock_get_log bypasses bounds checks and causes a massive out-of-bounds read.
--

commit 95b18e396910f0c346a2bf6b9e8a26169223eef2
Author: Dave Jiang <dave.jiang@intel.com>
cxl/test: Verify cmd->size_in before accessing payload

Add a check for cmd->size_in before accessing the payload. This prevents
potential dereferencing of a null pointer if size_in is zero.

Link: https://lore.kernel.org/linux-cxl/20260605143748.235271F00893@smtp.kernel.org/

> diff --git a/tools/testing/cxl/test/mem.c b/tools/testing/cxl/test/mem.c
> index 271c7ad8cc32c..2e9a5f151e983 100644
> --- a/tools/testing/cxl/test/mem.c
> +++ b/tools/testing/cxl/test/mem.c
> @@ -312,12 +312,17 @@ static int mock_get_event(struct device *dev, struct cxl_mbox_cmd *cmd)
>  
>  static int mock_clear_event(struct device *dev, struct cxl_mbox_cmd *cmd)
>  {
[ ... ]
> +
> +	if (cmd->size_in < sizeof(*pl))
> +		return -EINVAL;
> +
> +	pl = cmd->payload_in;
> +	log_type = pl->event_log;

[Severity: High]
This isn't a bug introduced by this patch, but since we are adding a bounds
check here, does it fully protect against out-of-bounds reads?

Later in this function, there is a loop:

tools/testing/cxl/test/mem.c:mock_clear_event() {
    ...
    for (nr = 0, handle = event_get_clear_handle(log);
         nr < pl->nr_recs;
         nr++, handle++) {
        if (handle != le16_to_cpu(pl->handles[nr])) {
    ...
}

If the user provides a payload where size_in only covers the header (exactly
sizeof(*pl)) but sets nr_recs > 0, won't this loop read past the end of the
cmd->payload_in buffer?

[ ... ]
> @@ -574,14 +579,19 @@ static int mock_gsl(struct cxl_mbox_cmd *cmd)
>  static int mock_get_log(struct cxl_memdev_state *mds, struct cxl_mbox_cmd *cmd)
>  {
[ ... ]
> +
> +	gl = cmd->payload_in;
> +	offset = le32_to_cpu(gl->offset);
> +	length = le32_to_cpu(gl->length);
> +
>  	if (length > cxl_mbox->payload_size)
>  		return -EINVAL;
>  	if (offset + length > sizeof(mock_cel))

[Severity: High]
This isn't a bug introduced by this patch, but is there an integer overflow
in this bounds check?

Both offset and length are u32 variables controlled by the user. If offset is
very large and length is small, could offset + length wrap around to a small
number and bypass this check?

This might lead to an out-of-bounds read in the subsequent memcpy():

tools/testing/cxl/test/mem.c:mock_get_log() {
    ...
    memcpy(cmd->payload_out, data + offset, length);
    ...
}

[ ... ]
> @@ -1415,11 +1429,18 @@ static int mock_get_test_feature(struct cxl_mockmem_data *mdata,
>  				 struct cxl_mbox_cmd *cmd)
>  {
[ ... ]
> +	if (cmd->size_in < sizeof(*input))
> +		return -EINVAL;
> +
> +	input = cmd->payload_in;
> +	offset = le16_to_cpu(input->offset);
> +	count = le16_to_cpu(input->count);
> +

[Severity: High]
This isn't a bug introduced by this patch, but while this check prevents null
pointer dereferences within mock_get_test_feature(), its caller
mock_get_feature() appears to unconditionally dereference cmd->payload_in
before getting here:

tools/testing/cxl/test/mem.c:mock_get_feature() {
    ...
    struct cxl_mbox_get_feat_in *input = cmd->payload_in;

    if (uuid_equal(&input->uuid, &CXL_VENDOR_FEATURE_TEST))
    ...
}

If userspace sends a command with size_in = 0, will it trigger a panic before
ever reaching this new check? Similar omissions appear to exist in
mock_set_feature() and mock_get_supported_features().

[Severity: High]
This isn't a bug introduced by this patch, but while looking at bounds
validation in these mock handlers, is there an out-of-bounds write on the
heap in other functions?

For example, mock_get_supported_features() writes to cmd->payload_out without
validating that cmd->size_out is large enough:

tools/testing/cxl/test/mem.c:mock_get_supported_features() {
    ...
    out->supported_feats = cpu_to_le16(MAX_CXL_TEST_FEATS);
    cmd->return_code = 0;
    if (count < struct_size(out, ents, MAX_CXL_TEST_FEATS)) {
        out->num_entries = 0;
        return 0;
    }

    out->num_entries = cpu_to_le16(MAX_CXL_TEST_FEATS);
    feat = out->ents;
    fill_feature_vendor_test(feat);
    ...
}

This function checks the requested input count instead of the actual allocated
cmd->size_out before writing 48 bytes to the flexible array out->ents.
Similarly, mock_get_poison() copies dynamically sized poison records to
payload_out without checking if cmd->size_out is large enough.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260605181508.3981107-1-dave.jiang@intel.com?part=1

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-05 18:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-05 18:15 [PATCH v2] cxl/test: Verify cmd->size_in before accessing payload Dave Jiang
2026-06-05 18:32 ` sashiko-bot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.