From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Esifiel <esifiel@gmail.com>, Fan Ni <fan.ni@samsung.com>
Subject: [PULL 53/65] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd()
Date: Mon, 4 Nov 2024 16:09:00 -0500 [thread overview]
Message-ID: <c0f122419fbcd1e0bf2bc2a0a3ae6410bb2cda22.1730754238.git.mst@redhat.com> (raw)
In-Reply-To: <cover.1730754238.git.mst@redhat.com>
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
If len_in is less than the minimum spec allowed value, then return
CXL_MBOX_INVALID_PAYLOAD_LENGTH
Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20241101133917.27634-8-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/cxl/cxl-mailbox-utils.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 5e571955b6..a40d81219c 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -151,6 +151,9 @@ static CXLRetCode cmd_tunnel_management_cmd(const struct cxl_cmd *cmd,
in = (void *)payload_in;
out = (void *)payload_out;
+ if (len_in < sizeof(*in)) {
+ return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
+ }
/* Enough room for minimum sized message - no payload */
if (in->size < sizeof(in->ccimessage)) {
return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
--
MST
next prev parent reply other threads:[~2024-11-04 21:11 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-04 21:05 [PULL 00/65] virtio,pc,pci: features, fixes, cleanups Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 01/65] softmmu: Expand comments describing max_bounce_buffer_size Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 02/65] docs: fix vhost-user protocol doc Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 03/65] hw/acpi: Fix ordering of BDF in Generic Initiator PCI Device Handle Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 04/65] hw/acpi/GI: Fix trivial parameter alignment issue Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 05/65] hw/acpi: Move AML building code for Generic Initiators to aml_build.c Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 06/65] hw/acpi: Rename build_all_acpi_generic_initiators() to build_acpi_generic_initiator() Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 07/65] hw/pci: Add a busnr property to pci_props and use for acpi/gi Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 08/65] acpi/pci: Move Generic Initiator object handling into acpi/pci.* Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 09/65] hw/pci-bridge: Add acpi_uid property to TYPE_PXB_BUS Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 10/65] hw/i386/acpi: Use TYPE_PXB_BUS property acpi_uid for DSDT Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 11/65] hw/pci-host/gpex-acpi: Use acpi_uid property Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 12/65] hw/acpi: Generic Port Affinity Structure support Michael S. Tsirkin
2024-11-05 9:06 ` Daniel P. Berrangé
2024-11-06 7:20 ` Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 13/65] hw/acpi: Make storage of node id uint32_t to reduce fragility Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 14/65] hw/acpi: Generic Initiator - add missing object class property descriptions Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 15/65] hw/pci-bridge/cxl_root_port: Provide x-speed and x-width properties Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 16/65] hw/pci-bridge/cxl_upstream: " Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 17/65] hw/pcie: Factor out PCI Express link register filling common to EP Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 18/65] hw/pcie: Provide a utility function for control of EP / SW USP link Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 19/65] hw/mem/cxl-type3: Add properties to control link speed and width Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 20/65] hw/pci-bridge/cxl-upstream: " Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 21/65] qdev-monitor: add option to report GenericError from find_device_state Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 22/65] vhost-user-blk: split vhost_user_blk_sync_config() Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 23/65] qapi: introduce device-sync-config Michael S. Tsirkin
2024-11-05 9:10 ` Daniel P. Berrangé
2024-11-06 7:19 ` Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 24/65] acpi/disassemle-aml.sh: fix up after dir reorg Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 25/65] tests/acpi: pc: allow DSDT acpi table changes Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 26/65] hw/i386/acpi-build: return a non-var package from _PRT() Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 27/65] tests/acpi: pc: update golden masters for DSDT Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 28/65] amd_iommu: Rename variable mmio to mr_mmio Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 29/65] amd_iommu: Add support for pass though mode Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 30/65] amd_iommu: Use shared memory region for Interrupt Remapping Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 31/65] amd_iommu: Send notification when invalidate interrupt entry cache Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 32/65] amd_iommu: Check APIC ID > 255 for XTSup Michael S. Tsirkin
2024-11-10 11:06 ` Phil Dennis-Jordan
2024-11-11 5:39 ` Shukla, Santosh
2024-11-13 10:53 ` Phil Dennis-Jordan
2024-11-04 21:07 ` [PULL 33/65] virtio-pci: fix memory_region_find for VirtIOPCIRegion's MR Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 34/65] virtio/vhost-user: fix qemu abort when hotunplug vhost-user-net device Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 35/65] hw/cxl: Fix uint32 overflow cxl-mailbox-utils.c Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 36/65] hw/cxl: Fix background completion percentage calculation Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 37/65] mem/cxl_type3: Fix overlapping region validation error Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 38/65] hw/mem/cxl_type3: Fix More flag setting for dynamic capacity event records Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 39/65] hw/cxl/cxl-mailbox-utils: Fix for device DDR5 ECS control feature tables Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 40/65] hw/cxl: Fix indent of structure member Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 41/65] hw/pci-bridge: Make pxb_dev_realize_common() return if it succeeded Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 42/65] vhost-user: fix shared object return values Michael S. Tsirkin
2024-11-04 21:24 ` Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 44/65] pcie: enable Extended tag field support Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 45/65] cxl/cxl-mailbox-utils: Fix size check for cmd_firmware_update_get_info Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 46/65] hw/cxl/cxl-mailbox-util: Fix output buffer index update when retrieving DC extents Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 47/65] hw/cxl: Check size of input data to dynamic capacity mailbox commands Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 48/65] hw/cxl: Check input includes at least the header in cmd_features_set_feature() Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 49/65] hw/cxl: Check input length is large enough in cmd_events_clear_records() Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 50/65] hw/cxl: Check enough data in cmd_firmware_update_transfer() Michael S. Tsirkin
2024-11-04 21:23 ` Michael S. Tsirkin
2024-11-04 21:09 ` Michael S. Tsirkin [this message]
2024-11-04 21:09 ` [PULL 54/65] hw/cxl: Check that writes do not go beyond end of target attributes Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 55/65] hw/cxl: Ensure there is enough data for the header in cmd_ccls_set_lsa() Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 56/65] hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 57/65] hw/pci: Add parenthesis to PCI_BUILD_BDF macro Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 58/65] hw/acpi: Make CPUs ACPI `presence` conditional during vCPU hot-unplug Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 59/65] qtest: allow ACPI DSDT Table changes Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 60/65] hw/acpi: Update ACPI `_STA` method with QOM vCPU ACPI Hotplug states Michael S. Tsirkin
2024-11-05 12:50 ` Igor Mammedov
2024-11-05 21:12 ` Salil Mehta via
2024-11-06 9:00 ` Igor Mammedov
2024-11-06 10:34 ` Salil Mehta via
2024-11-04 21:09 ` [PULL 61/65] tests/qtest/bios-tables-test: Update DSDT golden masters for x86/{pc,q35} Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 62/65] hw/acpi: Update GED with vCPU Hotplug VMSD for migration Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 63/65] intel_iommu: Send IQE event when setting reserved bit in IQT_TAIL Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 64/65] intel_iommu: Add missed sanity check for 256-bit invalidation queue Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 65/65] intel_iommu: Add missed reserved bit check for IEC descriptor Michael S. Tsirkin
2024-11-04 21:23 ` [PULL 51/65] hw/cxl: Check the length of data requested fits in get_log() Michael S. Tsirkin
2024-11-04 21:23 ` [PULL 52/65] hw/cxl: Avoid accesses beyond the end of cel_log Michael S. Tsirkin
2024-11-04 21:24 ` [PULL 43/65] intel_iommu: Introduce property "stale-tm" to control Transient Mapping (TM) field Michael S. Tsirkin
2024-11-05 21:26 ` [PULL 00/65] virtio,pc,pci: features, fixes, cleanups Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c0f122419fbcd1e0bf2bc2a0a3ae6410bb2cda22.1730754238.git.mst@redhat.com \
--to=mst@redhat.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=esifiel@gmail.com \
--cc=fan.ni@samsung.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).