Linux CXL
 help / color / mirror / Atom feed
* [PATCH v2] cxl/features: Reject Get Feature count larger than the output buffer
@ 2026-06-24 13:47 Richard Cheng
  2026-06-24 14:05 ` sashiko-bot
  2026-06-24 20:54 ` Alison Schofield
  0 siblings, 2 replies; 8+ messages in thread
From: Richard Cheng @ 2026-06-24 13:47 UTC (permalink / raw)
  To: dave, jic23, dave.jiang, alison.schofield, vishal.l.verma, djbw,
	danwilliams
  Cc: iweiny, ming.li, kobak, kaihengf, kees, newtonl, kristinc, mochs,
	linux-cxl, linux-kernel, Richard Cheng

cxlctl_get_feature() sizes its output buffer from the user's
fwctl_rpc.out_len, but the device is told to write
cxl_mbox_get_feat_in.count bytes into rpc_out->payload, which is a
separate user-controlled value. Nothing bounds count against out_len, so
a small out_len with a large count overflows the kvzalloc()'d buffer.
A heap OOB write reachable from FWCTL_RPC.

Reject requests where count exceeds the available payload room, before
allocating.

Fixes: 5908f3ed6dc2 ("cxl: Add support to handle user feature commands for get feature")
Reviewed-by: Kai-Heng Feng <kaihengf@nvidia.com>
Reviewed-by: Koba Ko <kobak@nvidia.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Richard Cheng <icheng@nvidia.com>
---
Changelog:

v1 -> v2:
    - Drop the reproducer and trim the KASAN splat in the commit message
    - Sent the reproducer as a regression test in ndctl separately.

Best regards,
Richard Cheng
---
 drivers/cxl/core/features.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/cxl/core/features.c b/drivers/cxl/core/features.c
index 85185af46b72..9c714ee42a41 100644
--- a/drivers/cxl/core/features.c
+++ b/drivers/cxl/core/features.c
@@ -471,6 +471,10 @@ static void *cxlctl_get_feature(struct cxl_features_state *cxlfs,
 	if (!count)
 		return ERR_PTR(-EINVAL);
 
+	if (out_size < offsetof(struct fwctl_rpc_cxl_out, payload) ||
+	    count > out_size - offsetof(struct fwctl_rpc_cxl_out, payload))
+		return ERR_PTR(-EINVAL);
+
 	struct fwctl_rpc_cxl_out *rpc_out __free(kvfree) =
 		kvzalloc(out_size, GFP_KERNEL);
 	if (!rpc_out)

base-commit: ef0c9f75a19532d7675384708fc8621e10850104
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2026-06-29 15:37 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-24 13:47 [PATCH v2] cxl/features: Reject Get Feature count larger than the output buffer Richard Cheng
2026-06-24 14:05 ` sashiko-bot
2026-06-24 20:54 ` Alison Schofield
2026-06-24 21:10   ` Alison Schofield
2026-06-26  7:27     ` Richard Cheng
2026-06-26 16:17       ` Dave Jiang
2026-06-29  2:12         ` Richard Cheng
2026-06-29 15:37           ` Dave Jiang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox