Re: [PATCH qemu] hw/cxl: Avoid out of bounds read when userspace requests data off end of CDAT.

Re: [PATCH qemu] hw/cxl: Avoid out of bounds read when userspace requests data off end of CDAT.

[Jonathan Cameron]

On Thu, 16 Apr 2026 16:54:21 +0100
Jonathan Cameron via qemu development <qemu-devel@nongnu.org> wrote:

> The requested entry is controlled by the guest so must be checked against
> the number of entries that actually exist.
> 
> Reported as a security issue, but CXL emulation has since been declared
> to not be suitable (yet) for virtualization use cases and so the security
> handling policy does not apply.
> 
> Fixes: f5ee7413d592 ("hw/mem/cxl-type3: Add CXL CDAT Data Object Exchange")
> Fixes: 882877fc359d ("hw/pci-bridge/cxl-upstream: Add a CDAT table access DOE")
> Reported-by: Buzzy <buzzy0257@gmail.com>
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> Cc: <jic23@kernel.org>

I have a very short memory it seems and forgot to add linux-cxl
despite adding it to the MAINTAINERS entry yesterday. 

> ---
>  hw/mem/cxl_type3.c           | 4 ++++
>  hw/pci-bridge/cxl_upstream.c | 4 ++++
>  2 files changed, 8 insertions(+)
> 
> diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> index 4739239da3c5..763b6a024403 100644
> --- a/hw/mem/cxl_type3.c
> +++ b/hw/mem/cxl_type3.c
> @@ -278,6 +278,10 @@ static bool cxl_doe_cdat_rsp(DOECap *doe_cap)
>      }
>  
>      ent = req->entry_handle;
> +    if (ent >= cdat->entry_len) {
> +        return false;
> +    }
> +
>      base = cdat->entry[ent].base;
>      len = cdat->entry[ent].length;
>  
> diff --git a/hw/pci-bridge/cxl_upstream.c b/hw/pci-bridge/cxl_upstream.c
> index b6281cbd4cb0..fa53fa2777fd 100644
> --- a/hw/pci-bridge/cxl_upstream.c
> +++ b/hw/pci-bridge/cxl_upstream.c
> @@ -158,6 +158,10 @@ static bool cxl_doe_cdat_rsp(DOECap *doe_cap)
>      }
>  
>      ent = req->entry_handle;
> +    if (ent >= cdat->entry_len) {
> +        return false;
> +    }
> +
>      base = cdat->entry[ent].base;
>      len = cdat->entry[ent].length;
>