mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hw/cxl: Fix out of bound array access

Browse Source 
According to cxl_interleave_ways_enc(), fw->num_targets is allowed to be up
to 16. This also corresponds to CXL r3.0 spec. So, the fw->target_hbs[]
array is iterated from 0 to 15. But it is statically declared of length 8.
Thus, out of bound array access may occur.

Fixes: c28db9e000 ("hw/pci-bridge: Make PCIe and CXL PXB Devices inherit from TYPE_PXB_DEV")
Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Link: https://lore.kernel.org/r/20230913101055.754709-1-frolov@swemel.ru
Cc: qemu-stable@nongnu.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
This commit is contained in:
Dmitry Frolov 2023-09-19 11:19:25 +01:00 committed by Michael Tokarev
parent 6ff359196d
commit de5bbfc602
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/hw/cxl/cxl.h
View File

@ -29,7 +29,7 @@ typedef struct PXBCXLDev PXBCXLDev;
typedef struct CXLFixedWindow { typedef struct CXLFixedWindow {
uint64_t size; uint64_t size;
char **targets; char **targets;
PXBCXLDev *target_hbs[8]; PXBCXLDev *target_hbs[16];
uint8_t num_targets; uint8_t num_targets;
uint8_t enc_int_ways; uint8_t enc_int_ways;
uint8_t enc_int_gran; uint8_t enc_int_gran;