Linux CXL
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Richard Cheng" <icheng@nvidia.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH v3 1/5] cxl/features: Reject feature offset that overflows 16-bit field
Date: Wed, 08 Jul 2026 07:58:50 +0000	[thread overview]
Message-ID: <20260708075850.EAEAD1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260708074228.43654-2-icheng@nvidia.com>

Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:

New issues:
- [Medium] The newly introduced feature transfer size validation incorrectly rejects valid reads/writes, causing an off-by-one bounds check error.

Pre-existing issues:
- [High] Missing bounds check on user-provided `out_len` and `count` leads to arbitrary heap buffer overflow and potential `ZERO_SIZE_PTR` dereference in `cxlctl_get_feature` and `cxlctl_set_feature`.
- [High] Missing bounds check on user-supplied `in_len` and `op_size` leads to out-of-bounds heap reads and potential kernel crashes in `cxlctl_set_feature`.
- [High] Hardware-induced heap buffer overflow in `cxl_get_feature()` loop due to incorrect static `size_out` tracking.
- [Medium] Internal mailbox command failures mask their error codes and return SUCCESS to the `fwctl` user.
--

--- Patch [1]: [PATCH v3 1/5] cxl/features: Reject feature offset that overflows 16-bit field ---
commit c16baccf7c99ea7335aa40b18d19b96e88ef46aa
Author: Richard Cheng <icheng@nvidia.com>

cxl/features: Reject feature offset that overflows 16-bit field

cxl_get_feature() and cxl_set_feature() build each mailbox command's
offset from the starting offset plus the amount of data already
transferred, then store it in a 16-bit field. An user-controlled fwctl
offset and transfer size can exceed the feature extent, allowing a later
offset to be truncated by cpu_to_le16() and target the wrong feature
data.

> diff --git a/drivers/cxl/core/features.c b/drivers/cxl/core/features.c
> index 85185af46b72d..aaa408445fd40 100644
> --- a/drivers/cxl/core/features.c
> +++ b/drivers/cxl/core/features.c
> @@ -235,7 +235,10 @@ size_t cxl_get_feature(struct cxl_mailbox *cxl_mbox, const uuid_t *feat_uuid,
>  		*return_code = CXL_MBOX_CMD_RC_INPUT;
>  
>  	if (!feat_out || !feat_out_size)
> -		return 0;
> +		return -EINVAL;
> +
> +	if (feat_out_size > U16_MAX - offset)
> +		return -EINVAL;

[Severity: Medium]
Does this logic contain an off-by-one error?

If a user requests exactly 65536 bytes at offset 0, feat_out_size would be
65536. Since U16_MAX is 65535, 65536 > 65535 - 0 evaluates to true, which
incorrectly rejects a valid read.

[ ... ]

> @@ -258,7 +261,7 @@ size_t cxl_get_feature(struct cxl_mailbox *cxl_mbox, const uuid_t *feat_uuid,
>  		if (rc < 0 || !mbox_cmd.size_out) {
>  			if (return_code)
>  				*return_code = mbox_cmd.return_code;

[Severity: High]
This isn't a bug introduced by this patch, but could this lead to a
hardware-induced heap buffer overflow?

Looking at the loop just before this check:

    mbox_cmd = (struct cxl_mbox_cmd) {
        ...
        .size_out = size_out,
        .payload_out = feat_out + data_rcvd_size,
        .min_out = data_to_rd_size,
    };
    rc = cxl_internal_send_cmd(cxl_mbox, &mbox_cmd);

The command struct tells the mailbox transport that it has size_out bytes of
space remaining in payload_out, even though the actual remaining space requested
for this iteration is data_to_rd_size. If a buggy or malicious hardware device
ignores min_out and returns up to size_out bytes, could the transport blindly
overwrite memory past the end of feat_out?

[Severity: Medium]
This is also a pre-existing issue, but does this mask internal mailbox command
failures?

When cxl_internal_send_cmd() fails before getting a response (e.g., due to a
timeout or busy state), mbox_cmd.return_code retains its 0-initialized value.
Does setting *return_code to 0 end up propagating a SUCCESS response to the
fwctl user, even though the command failed?

> -			return 0;
> +			return rc < 0 ? rc : -EIO;
>  		}
>  		data_rcvd_size += mbox_cmd.size_out;
>  	} while (data_rcvd_size < feat_out_size);

[ ... ]

> @@ -287,6 +290,9 @@ int cxl_set_feature(struct cxl_mailbox *cxl_mbox,
>  	if (return_code)
>  		*return_code = CXL_MBOX_CMD_RC_INPUT;
>  
> +	if (feat_data_size > U16_MAX - offset)
> +		return -EINVAL;

[Severity: Medium]
Does this have the same off-by-one bounds check error as cxl_get_feature() when
writing a full 64KB extent?

[ ... ]

> @@ -476,16 +483,17 @@ static void *cxlctl_get_feature(struct cxl_features_state *cxlfs,
>  	if (!rpc_out)
>  		return ERR_PTR(-ENOMEM);
>  
> -	out_size = cxl_get_feature(cxl_mbox, &feat_in->uuid,
> -				   feat_in->selection, rpc_out->payload,
> -				   count, offset, &return_code);

[Severity: High]
This isn't a bug introduced by this patch, but does this lack a bounds check
against count?

The rpc_out buffer is allocated just above using the user-provided out_size:

    struct fwctl_rpc_cxl_out *rpc_out __free(kvfree) =
        kvzalloc(out_size, GFP_KERNEL);

However, cxl_get_feature() will write up to count bytes into rpc_out->payload.
If a user calls the FWCTL_RPC ioctl with a small out_len but a large count,
could this lead to an arbitrary heap buffer overflow?

Additionally, if out_size is 0, kvzalloc() returns ZERO_SIZE_PTR. Would the
later assignment of rpc_out->size = 0 or data_size trigger a kernel panic?

Similar missing bounds checks on user-supplied in_len and op_size appear to
exist in cxlctl_set_feature() and cxlctl_fw_rpc(), which could lead to
out-of-bounds heap reads or ZERO_SIZE_PTR dereferences.

> +	data_size = cxl_get_feature(cxl_mbox, &feat_in->uuid,
> +				    feat_in->selection, rpc_out->payload,
> +				    count, offset, &return_code);
>  	*out_len = sizeof(struct fwctl_rpc_cxl_out);
> -	if (!out_size) {
> +	if (data_size <= 0) {
>  		rpc_out->size = 0;
>  		rpc_out->retval = return_code;
>  		return no_free_ptr(rpc_out);
>  	}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260708074228.43654-1-icheng@nvidia.com?part=1

  reply	other threads:[~2026-07-08  7:58 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-08  7:42 [PATCH v3 0/5] cxl: Sashiko bug fixes Richard Cheng
2026-07-08  7:42 ` [PATCH v3 1/5] cxl/features: Reject feature offset that overflows 16-bit field Richard Cheng
2026-07-08  7:58   ` sashiko-bot [this message]
2026-07-08  7:42 ` [PATCH v3 2/5] cxl/region: Scan all partitions for unmapped poison Richard Cheng
2026-07-08  7:42 ` [PATCH v3 3/5] cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan Richard Cheng
2026-07-08  7:53   ` sashiko-bot
2026-07-08  7:42 ` [PATCH v3 4/5] cxl/region: Start unmapped poison scan at the committed decoder boundary Richard Cheng
2026-07-08  7:58   ` sashiko-bot
2026-07-08  7:42 ` [PATCH v3 5/5] cxl/memdev: Don't overwrite the error from an earlier partition poison query Richard Cheng
2026-07-08  7:55   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260708075850.EAEAD1F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=icheng@nvidia.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox