From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03CC8C7619A for ; Wed, 12 Apr 2023 08:42:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231191AbjDLIm0 (ORCPT ); Wed, 12 Apr 2023 04:42:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231195AbjDLImN (ORCPT ); Wed, 12 Apr 2023 04:42:13 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F09E77D8B for ; Wed, 12 Apr 2023 01:41:31 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D05A16304E for ; Wed, 12 Apr 2023 08:41:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E75B7C4339C; Wed, 12 Apr 2023 08:41:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1681288891; bh=EHvwuON3SQ9Ev6LGR681utzHUOVZM+RhR16yvNVNmKw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iXCotUbd2U7/ayybOfLsGMZvVBwF85syIzLtCO0cqLjLKAp793BzctzNLeqVbB1K0 CVPBMmRA+rtqbGcrkStf9JCgKRhGLOF2DzIK3LSIqcrt64byxuezOxuspZnqx4gRP/ 9lpyFxlJKifI44chppW16FMozXm+6dhYUZMVqAFQ= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Ming Li , Ira Weiny , Lukas Wunner , Dan Williams , Jonathan Cameron , Kuppuswamy Sathyanarayanan Subject: [PATCH 6.1 057/164] cxl/pci: Handle truncated CDAT header Date: Wed, 12 Apr 2023 10:32:59 +0200 Message-Id: <20230412082839.264901093@linuxfoundation.org> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230412082836.695875037@linuxfoundation.org> References: <20230412082836.695875037@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Lukas Wunner commit 34bafc747c54fb58c1908ec3116fa6137393e596 upstream. cxl_cdat_get_length() only checks whether the DOE response size is sufficient for the Table Access response header (1 dword), but not the succeeding CDAT header (1 dword length plus other fields). It thus returns whatever uninitialized memory happens to be on the stack if a truncated DOE response with only 1 dword was received. Fix it. Fixes: c97006046c79 ("cxl/port: Read CDAT table") Reported-by: Ming Li Tested-by: Ira Weiny Signed-off-by: Lukas Wunner Reviewed-by: Ming Li Reviewed-by: Dan Williams Reviewed-by: Jonathan Cameron Cc: stable@vger.kernel.org # v6.0+ Reviewed-by: Kuppuswamy Sathyanarayanan Link: https://lore.kernel.org/r/000e69cd163461c8b1bc2cf4155b6e25402c29c7.1678543498.git.lukas@wunner.de Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman --- drivers/cxl/core/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/cxl/core/pci.c +++ b/drivers/cxl/core/pci.c @@ -531,7 +531,7 @@ static int cxl_cdat_get_length(struct de return rc; } wait_for_completion(&t.c); - if (t.task.rv < sizeof(__le32)) + if (t.task.rv < 2 * sizeof(__le32)) return -EIO; *length = le32_to_cpu(t.response_pl[1]);