On Fri, Nov 01, 2024 at 01:39:10PM +0000, Jonathan Cameron wrote:
> Buggy software might write a message that is too short for
> either the header, or the header + the event data that is specified
> in the header. This may result in accesses beyond the range of the
> message allocated as a duplicate of the incoming message buffer.
>
> Reported-by: Esifiel <esif...@gmail.com>
> Signed-off-by: Jonathan Cameron <jonathan.came...@huawei.com>
> ---
Reviewed-by: Fan Ni <fan...@samsung.com>
> hw/cxl/cxl-mailbox-utils.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> index e63140aefe..3cb499a24f 100644
> --- a/hw/cxl/cxl-mailbox-utils.c
> +++ b/hw/cxl/cxl-mailbox-utils.c
> @@ -266,6 +266,12 @@ static CXLRetCode cmd_events_clear_records(const struct
> cxl_cmd *cmd,
> CXLClearEventPayload *pl;
>
> pl = (CXLClearEventPayload *)payload_in;
> +
> + if (len_in < sizeof(*pl) ||
> + len_in < sizeof(*pl) + sizeof(*pl->handle) * pl->nr_recs) {
> + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> + }
> +
> *len_out = 0;
> return cxl_event_clear_records(cxlds, pl);
> }
> --
> 2.43.0
>
--
Fan Ni
