From: Alison Schofield <alison.schofield@intel.com>
To: Samuel Moelius <sam.moelius@trailofbits.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>,
Jonathan Cameron <jic23@kernel.org>,
Dave Jiang <dave.jiang@intel.com>,
Vishal Verma <vishal.l.verma@intel.com>,
Ira Weiny <ira.weiny@intel.com>, Dan Williams <djbw@kernel.org>,
Eric Biggers <ebiggers@kernel.org>,
Alejandro Lucero <alucerop@amd.com>,
"open list:COMPUTE EXPRESS LINK (CXL)"
<linux-cxl@vger.kernel.org>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] cxl/test: reject wrapped GET_LOG offsets
Date: Wed, 10 Jun 2026 11:01:34 -0700 [thread overview]
Message-ID: <aimmfgWS6IPtwLVA@aschofie-mobl2.lan> (raw)
In-Reply-To: <20260605142036.2062347-1-sam.moelius@trailofbits.com>
On Fri, Jun 05, 2026 at 02:20:31PM +0000, Samuel Moelius wrote:
> The CXL mock mailbox GET_LOG handler validates the requested CEL slice
> with `offset + length > sizeof(mock_cel)`. Both fields come from the
> userspace CXL_MEM_SEND_COMMAND payload and are 32-bit values, so an
> offset near U32_MAX can wrap the addition to a small value and pass the
> bounds check.
>
> The wrapped request then uses the original large offset as the source
> address for memcpy(), reading far outside the mock CEL array.
>
> Validate the offset first and compare the length against the remaining
> CEL size so the check cannot wrap.
>
> Assisted-by: Codex:gpt-5.5-cyber-preview
> Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Hi Samuel,
I'd suggest keeping the commit log focused on the broken property and
how the fix restores it, rather than tracing the individual arithmetic
operations and later accesses, which are already evident from the code.
The GET_LOG handler is intended to reject requests that describe a CEL
range extending beyond the available data. The current validation can
incorrectly accept some malformed requests because of arithmetic
wraparound, and the fix restores that property by validating the
requested range in a way that cannot overflow.
The discussion of the subsequent memcpy() access leaves me wondering
what the observable effect actually is. Does this return bogus CEL
data, trigger KASAN, crash the test module, or something else? If there
is a demonstrated failure, please describe it. Otherwise, I think the
property being restored is the more important aspect to capture in the
commit log.
-- Alison
> ---
> tools/testing/cxl/test/mem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/testing/cxl/test/mem.c b/tools/testing/cxl/test/mem.c
> index 271c7ad8cc32..5dc9601a2a7e 100644
> --- a/tools/testing/cxl/test/mem.c
> +++ b/tools/testing/cxl/test/mem.c
> @@ -584,7 +584,7 @@ static int mock_get_log(struct cxl_memdev_state *mds, struct cxl_mbox_cmd *cmd)
> return -EINVAL;
> if (length > cxl_mbox->payload_size)
> return -EINVAL;
> - if (offset + length > sizeof(mock_cel))
> + if (offset > sizeof(mock_cel) || length > sizeof(mock_cel) - offset)
> return -EINVAL;
> if (!uuid_equal(&gl->uuid, &uuid))
> return -EINVAL;
> --
> 2.43.0
>
next prev parent reply other threads:[~2026-06-10 18:01 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 14:20 [PATCH] cxl/test: reject wrapped GET_LOG offsets Samuel Moelius
2026-06-05 14:37 ` sashiko-bot
2026-06-09 18:08 ` Dave Jiang
2026-06-10 18:01 ` Alison Schofield [this message]
2026-06-10 19:03 ` Samuel Moelius
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aimmfgWS6IPtwLVA@aschofie-mobl2.lan \
--to=alison.schofield@intel.com \
--cc=alucerop@amd.com \
--cc=dave.jiang@intel.com \
--cc=dave@stgolabs.net \
--cc=djbw@kernel.org \
--cc=ebiggers@kernel.org \
--cc=ira.weiny@intel.com \
--cc=jic23@kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sam.moelius@trailofbits.com \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.