projects / qemu.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f4a12ba) | patch
hw/cxl: Check enough data in cmd_firmware_update_transfer()
authorJonathan Cameron <Jonathan.Cameron@huawei.com>
Fri, 1 Nov 2024 13:39:11 +0000 (13:39 +0000)
committerMichael S. Tsirkin <mst@redhat.com>
Mon, 4 Nov 2024 21:03:25 +0000 (16:03 -0500)
commita3995360aeec62902f045142840c1fd334e9725f
tree963caea53cba84d6861512d8dbbf25b2b6636e36tree | snapshot
parentf4a12ba66bebfe200d7f56015c1cd5af321ab152commit | diff
hw/cxl: Check enough data in cmd_firmware_update_transfer()

Buggy guest can write a message that advertises more data that
is provided. As QEMU internally duplicates the reported message
size, this may result in an out of bounds access.
Add sanity checks on the size to avoid this.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20241101133917.27634-5-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
hw/cxl/cxl-mailbox-utils.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.