Commit 87f8e5a71d for qemu.org
commit 87f8e5a71d061964c9bfa4d6e02db47f54dd61f7
Author: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Date: Fri Jan 2 15:47:30 2026 +0000
hw/cxl: Check for overflow on santize media as both base and offset 64bit.
The both the size and base of a media sanitize operation are both provided
by the VM, an overflow is possible which may result in checks on valid
range passing when they should not. Close that by checking for overflow
on the addition.
Fixes: 40ab4ed10775 ("hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3)")
Closes: https://lore.kernel.org/qemu-devel/CAFEAcA8Rqop+ju0fuxN+0T57NBG+bep80z45f6pY0ci2fz_G3A@mail.gmail.com/
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260102154731.474859-2-Jonathan.Cameron@huawei.com>
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 6cfdd98168..cf1d048d99 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -1875,7 +1875,7 @@ static uint64_t get_dc_size(CXLType3Dev *ct3d, MemoryRegion **dc_mr)
static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
size_t length)
{
- uint64_t vmr_size, pmr_size, dc_size;
+ uint64_t vmr_size, pmr_size, dc_size, dpa_end;
if ((dpa_addr % CXL_CACHE_LINE_SIZE) ||
(length % CXL_CACHE_LINE_SIZE) ||
@@ -1887,7 +1887,12 @@ static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
pmr_size = get_pmr_size(ct3d, NULL);
dc_size = get_dc_size(ct3d, NULL);
- if (dpa_addr + length > vmr_size + pmr_size + dc_size) {
+ /* sanitize 64 bit values coming from guest */
+ if (uadd64_overflow(dpa_addr, length, &dpa_end)) {
+ return -EINVAL;
+ }
+
+ if (dpa_end > vmr_size + pmr_size + dc_size) {
return -EINVAL;
}