From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
To: Michael Tsirkin <mst@redhat.com>, <qemu-devel@nongnu.org>,
Vinayak Holikatti <vinayak.kh@samsung.com>
Cc: <linuxarm@huawei.com>, <linux-cxl@vger.kernel.org>,
Ravi Shankar <venkataravis@micron.com>
Subject: [PATCH qemu 1/2] hw/cxl: Check for overflow on santize media as both base and offset 64bit.
Date: Fri, 2 Jan 2026 15:47:30 +0000 [thread overview]
Message-ID: <20260102154731.474859-2-Jonathan.Cameron@huawei.com> (raw)
In-Reply-To: <20260102154731.474859-1-Jonathan.Cameron@huawei.com>
The both the size and base of a media sanitize operation are both provided
by the VM, an overflow is possible which may result in checks on valid
range passing when they should not. Close that by checking for overflow
on the addition.
Fixes: 40ab4ed10775 ("hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3)")
Closes: https://lore.kernel.org/qemu-devel/CAFEAcA8Rqop+ju0fuxN+0T57NBG+bep80z45f6pY0ci2fz_G3A@mail.gmail.com/
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
hw/cxl/cxl-mailbox-utils.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index a64b8ba5351f..d8f62a13a8ec 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -2411,7 +2411,7 @@ static uint64_t get_dc_size(CXLType3Dev *ct3d, MemoryRegion **dc_mr)
static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
size_t length)
{
- uint64_t vmr_size, pmr_size, dc_size;
+ uint64_t vmr_size, pmr_size, dc_size, dpa_end;
if ((dpa_addr % CXL_CACHE_LINE_SIZE) ||
(length % CXL_CACHE_LINE_SIZE) ||
@@ -2423,7 +2423,12 @@ static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
pmr_size = get_pmr_size(ct3d, NULL);
dc_size = get_dc_size(ct3d, NULL);
- if (dpa_addr + length > vmr_size + pmr_size + dc_size) {
+ /* sanitize 64 bit values coming from guest */
+ if (uadd64_overflow(dpa_addr, length, &dpa_end)) {
+ return -EINVAL;
+ }
+
+ if (dpa_end > vmr_size + pmr_size + dc_size) {
return -EINVAL;
}
--
2.48.1
next prev parent reply other threads:[~2026-01-02 15:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-02 15:47 [PATCH qemu 0/2] hw/cxl: Two media operations related fixes Jonathan Cameron
2026-01-02 15:47 ` Jonathan Cameron [this message]
2026-01-02 15:47 ` [PATCH qemu 2/2] hw/cxl: Take into account how many media operations are requested for param check Jonathan Cameron
2026-02-04 11:15 ` [PATCH qemu 0/2] hw/cxl: Two media operations related fixes Jonathan Cameron
2026-02-05 22:11 ` Michael Tokarev
2026-02-06 9:42 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260102154731.474859-2-Jonathan.Cameron@huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linuxarm@huawei.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=venkataravis@micron.com \
--cc=vinayak.kh@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox