Re: [PATCH] hw/cxl: fix uint32 overflow cxl-mailbox-utils.c

[Jonathan Cameron via <qemu-devel@nongnu.org>]

On Tue, 17 Sep 2024 11:09:16 +0300
Dmitry Frolov <frolov@swemel.ru> wrote:

> The sum offset + length may overflow uint32. Since this sum is
> compared with uint64_t return value of get_lsa_size(), it makes
> sense to choose uint64_t type for offset and length.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
That would take a crazy LSA configuration but indeed looks possible.
Does it matter?

If this happens we'll falsely pass the check, then the values will
get passed into get_lsa() which does have sanity checks, but they
are asserts.

So indeed good to fix this and the suggested fix is fine.

I've queued it up but will be at travelling this week so
might be a while before I send out a fixes series with this in.

Thanks,

Jonathan


> 
> Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
> ---
>  hw/cxl/cxl-mailbox-utils.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> index 9258e48f95..9f794e4655 100644
> --- a/hw/cxl/cxl-mailbox-utils.c
> +++ b/hw/cxl/cxl-mailbox-utils.c
> @@ -1445,7 +1445,7 @@ static CXLRetCode cmd_ccls_get_lsa(const struct cxl_cmd *cmd,
>      } QEMU_PACKED *get_lsa;
>      CXLType3Dev *ct3d = CXL_TYPE3(cci->d);
>      CXLType3Class *cvc = CXL_TYPE3_GET_CLASS(ct3d);
> -    uint32_t offset, length;
> +    uint64_t offset, length;
>  
>      get_lsa = (void *)payload_in;
>      offset = get_lsa->offset;