Re: [PATCH] cxl/test: reject wrapped GET_LOG offsets

Next message: Nhat Pham: "Re: [PATCH v4 1/4] mm/zsmalloc: encode class index in obj value for lockless class lookup"
Previous message: Nhat Pham: "Re: [PATCH v4 2/4] mm/zsmalloc: drop pool-&gt;lock from zs_free on 64-bit systems"
Next in thread: Alison Schofield: "Re: [PATCH] cxl/test: reject wrapped GET_LOG offsets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Jiang

Date: Tue Jun 09 2026 - 14:09:02 EST

On 6/5/26 7:20 AM, Samuel Moelius wrote:
> The CXL mock mailbox GET_LOG handler validates the requested CEL slice
> with `offset + length > sizeof(mock_cel)`. Both fields come from the
> userspace CXL_MEM_SEND_COMMAND payload and are 32-bit values, so an
> offset near U32_MAX can wrap the addition to a small value and pass the
> bounds check.
>
> The wrapped request then uses the original large offset as the source
> address for memcpy(), reading far outside the mock CEL array.
>
> Validate the offset first and compare the length against the remaining
> CEL size so the check cannot wrap.
>
> Assisted-by: Codex:gpt-5.5-cyber-preview
> Signed-off-by: Samuel Moelius <sam.moelius@xxxxxxxxxxxxxxx>

Reviewed-by: Dave Jiang <dave.jiang@xxxxxxxxx>

> ---
> tools/testing/cxl/test/mem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/testing/cxl/test/mem.c b/tools/testing/cxl/test/mem.c
> index 271c7ad8cc32..5dc9601a2a7e 100644
> --- a/tools/testing/cxl/test/mem.c
> +++ b/tools/testing/cxl/test/mem.c
> @@ -584,7 +584,7 @@ static int mock_get_log(struct cxl_memdev_state *mds, struct cxl_mbox_cmd *cmd)
> return -EINVAL;
> if (length > cxl_mbox->payload_size)
> return -EINVAL;
> - if (offset + length > sizeof(mock_cel))
> + if (offset > sizeof(mock_cel) || length > sizeof(mock_cel) - offset)
> return -EINVAL;
> if (!uuid_equal(&gl->uuid, &uuid))
> return -EINVAL;