hw/cxl: Check enough data in cmd_firmware_update_transfer() Buggy guest can write a message that advertises more data that is provided. As QEMU internally duplicates the reported message size, this may result in an out of bounds access. Add sanity checks on the size to avoid this. Reported-by: Esifiel <esifiel@gmail.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Message-Id: <20241101133917.27634-5-Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

commit: a3995360aeec62902f045142840c1fd334e9725f [log] [tgz]
author: Jonathan Cameron <Jonathan.Cameron@huawei.com> Fri Nov 01 13:39:11 2024 +0000
committer: Michael S. Tsirkin <mst@redhat.com> Mon Nov 04 16:03:25 2024 -0500
tree: 963caea53cba84d6861512d8dbbf25b2b6636e36
parent: f4a12ba66bebfe200d7f56015c1cd5af321ab152 [diff]
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 3cb499a..27fadc4 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c

@@ -705,6 +705,10 @@
     } QEMU_PACKED *fw_transfer = (void *)payload_in;
     size_t offset, length;
 
+    if (len < sizeof(*fw_transfer)) {
+        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
+    }
+
     if (fw_transfer->action == CXL_FW_XFER_ACTION_ABORT) {
         /*
          * At this point there aren't any on-going transfers
commit	a3995360aeec62902f045142840c1fd334e9725f	[log] [tgz]
author	Jonathan Cameron <Jonathan.Cameron@huawei.com>	Fri Nov 01 13:39:11 2024 +0000
committer	Michael S. Tsirkin <mst@redhat.com>	Mon Nov 04 16:03:25 2024 -0500
tree	963caea53cba84d6861512d8dbbf25b2b6636e36
parent	f4a12ba66bebfe200d7f56015c1cd5af321ab152 [diff]