[PATCH] hw/cxl: fix uint32 overflow cxl-mailbox-utils.c

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] hw/cxl: fix uint32 overflow cxl-mailbox-utils.c
@ 2024-09-17  8:09 Dmitry Frolov
  2024-09-17  9:28 ` Jonathan Cameron via
  0 siblings, 1 reply; 2+ messages in thread
From: Dmitry Frolov @ 2024-09-17  8:09 UTC (permalink / raw)
  To: jonathan.cameron; +Cc: sdl.qemu, qemu-devel, fan.ni, Dmitry Frolov

The sum offset + length may overflow uint32. Since this sum is
compared with uint64_t return value of get_lsa_size(), it makes
sense to choose uint64_t type for offset and length.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
---
 hw/cxl/cxl-mailbox-utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 9258e48f95..9f794e4655 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -1445,7 +1445,7 @@ static CXLRetCode cmd_ccls_get_lsa(const struct cxl_cmd *cmd,
     } QEMU_PACKED *get_lsa;
     CXLType3Dev *ct3d = CXL_TYPE3(cci->d);
     CXLType3Class *cvc = CXL_TYPE3_GET_CLASS(ct3d);
-    uint32_t offset, length;
+    uint64_t offset, length;
 
     get_lsa = (void *)payload_in;
     offset = get_lsa->offset;
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] hw/cxl: fix uint32 overflow cxl-mailbox-utils.c
  2024-09-17  8:09 [PATCH] hw/cxl: fix uint32 overflow cxl-mailbox-utils.c Dmitry Frolov
@ 2024-09-17  9:28 ` Jonathan Cameron via
  0 siblings, 0 replies; 2+ messages in thread
From: Jonathan Cameron via @ 2024-09-17  9:28 UTC (permalink / raw)
  To: Dmitry Frolov; +Cc: sdl.qemu, qemu-devel, fan.ni

On Tue, 17 Sep 2024 11:09:16 +0300
Dmitry Frolov <frolov@swemel.ru> wrote:

> The sum offset + length may overflow uint32. Since this sum is
> compared with uint64_t return value of get_lsa_size(), it makes
> sense to choose uint64_t type for offset and length.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
That would take a crazy LSA configuration but indeed looks possible.
Does it matter?

If this happens we'll falsely pass the check, then the values will
get passed into get_lsa() which does have sanity checks, but they
are asserts.

So indeed good to fix this and the suggested fix is fine.

I've queued it up but will be at travelling this week so
might be a while before I send out a fixes series with this in.

Thanks,

Jonathan


> 
> Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
> ---
>  hw/cxl/cxl-mailbox-utils.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> index 9258e48f95..9f794e4655 100644
> --- a/hw/cxl/cxl-mailbox-utils.c
> +++ b/hw/cxl/cxl-mailbox-utils.c
> @@ -1445,7 +1445,7 @@ static CXLRetCode cmd_ccls_get_lsa(const struct cxl_cmd *cmd,
>      } QEMU_PACKED *get_lsa;
>      CXLType3Dev *ct3d = CXL_TYPE3(cci->d);
>      CXLType3Class *cvc = CXL_TYPE3_GET_CLASS(ct3d);
> -    uint32_t offset, length;
> +    uint64_t offset, length;
>  
>      get_lsa = (void *)payload_in;
>      offset = get_lsa->offset;



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-09-17  9:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-17  8:09 [PATCH] hw/cxl: fix uint32 overflow cxl-mailbox-utils.c Dmitry Frolov
2024-09-17  9:28 ` Jonathan Cameron via

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).