From: Jonathan Cameron Date: Fri, 2 Jan 2026 15:47:30 +0000 (+0000) Subject: hw/cxl: Check for overflow on santize media as both base and offset 64bit. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87f8e5a71d061964c9bfa4d6e02db47f54dd61f7;p=thirdparty%2Fqemu.git hw/cxl: Check for overflow on santize media as both base and offset 64bit. The both the size and base of a media sanitize operation are both provided by the VM, an overflow is possible which may result in checks on valid range passing when they should not. Close that by checking for overflow on the addition. Fixes: 40ab4ed10775 ("hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3)") Closes: https://lore.kernel.org/qemu-devel/CAFEAcA8Rqop+ju0fuxN+0T57NBG+bep80z45f6pY0ci2fz_G3A@mail.gmail.com/ Reported-by: Peter Maydell Signed-off-by: Jonathan Cameron Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Message-Id: <20260102154731.474859-2-Jonathan.Cameron@huawei.com> --- diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 6cfdd98168..cf1d048d99 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1875,7 +1875,7 @@ static uint64_t get_dc_size(CXLType3Dev *ct3d, MemoryRegion **dc_mr) static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr, size_t length) { - uint64_t vmr_size, pmr_size, dc_size; + uint64_t vmr_size, pmr_size, dc_size, dpa_end; if ((dpa_addr % CXL_CACHE_LINE_SIZE) || (length % CXL_CACHE_LINE_SIZE) || @@ -1887,7 +1887,12 @@ static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr, pmr_size = get_pmr_size(ct3d, NULL); dc_size = get_dc_size(ct3d, NULL); - if (dpa_addr + length > vmr_size + pmr_size + dc_size) { + /* sanitize 64 bit values coming from guest */ + if (uadd64_overflow(dpa_addr, length, &dpa_end)) { + return -EINVAL; + } + + if (dpa_end > vmr_size + pmr_size + dc_size) { return -EINVAL; }