The CXL device mailbox has some variable sized input commands. The payload
length for each must be established using command especific structures.
If user space is either buggy or malicious, it may use size fields to
indicate fields beyond the end of the payload sent. Some checks on this
were missing and Esifiel picked up on this. I've tagged all these fixes
with Esifiel's Reported-by as either they were in the report or are similar
issues in other commands.
These can mostly be easily tested by using the raw mailbox commands option
in Linux and injecting broken commands from user space.
A typical command needs to first check that there is enough data to get to
the command specific sizing fields, then check the reported size is less
than or equal to the available payload.
Note that I think it very unlikely anyone is currently using CXL emulation
with a VM that they do not trust, but that may happen in future so good to
fix these paths now.
Jonathan Cameron (10):
hw/cxl: Check size of input data to dynamic capacity mailbox commands
hw/cxl: Check input includes at least the header in
cmd_features_set_feature()
hw/cxl: Check input length is large enough in
cmd_events_clear_records()
hw/cxl: Check enough data in cmd_firmware_update_transfer()
hw/cxl: Check the length of data requested fits in get_log()
hw/cxl: Avoid accesses beyond the end of cel_log.
hw/cxl: Ensuring enough data to read parameters in
cmd_tunnel_management_cmd()
hw/cxl: Check that writes do not go beyond end of target attributes
hw/cxl: Ensure there is enough data for the header in
cmd_ccls_set_lsa()
hw/cxl: Ensure there is enough data to read the input header in
cmd_get_physical_port_state()
hw/cxl/cxl-mailbox-utils.c | 73 ++++++++++++++++++++++++++++++++------
1 file changed, 62 insertions(+), 11 deletions(-)
--
2.43.0
