Re: [PATCH] cxl/test: reject wrapped GET_LOG offsets

From: Alison Schofield

Date: Wed Jun 10 2026 - 14:02:37 EST

On Fri, Jun 05, 2026 at 02:20:31PM +0000, Samuel Moelius wrote:
> The CXL mock mailbox GET_LOG handler validates the requested CEL slice
> with `offset + length > sizeof(mock_cel)`. Both fields come from the
> userspace CXL_MEM_SEND_COMMAND payload and are 32-bit values, so an
> offset near U32_MAX can wrap the addition to a small value and pass the
> bounds check.
>
> The wrapped request then uses the original large offset as the source
> address for memcpy(), reading far outside the mock CEL array.
>
> Validate the offset first and compare the length against the remaining
> CEL size so the check cannot wrap.
>
> Assisted-by: Codex:gpt-5.5-cyber-preview
> Signed-off-by: Samuel Moelius <sam.moelius@xxxxxxxxxxxxxxx>

Hi Samuel,

I'd suggest keeping the commit log focused on the broken property and
how the fix restores it, rather than tracing the individual arithmetic
operations and later accesses, which are already evident from the code.

The GET_LOG handler is intended to reject requests that describe a CEL
range extending beyond the available data. The current validation can
incorrectly accept some malformed requests because of arithmetic
wraparound, and the fix restores that property by validating the
requested range in a way that cannot overflow.

The discussion of the subsequent memcpy() access leaves me wondering
what the observable effect actually is. Does this return bogus CEL
data, trigger KASAN, crash the test module, or something else? If there
is a demonstrated failure, please describe it. Otherwise, I think the
property being restored is the more important aspect to capture in the
commit log.

-- Alison


> ---
> tools/testing/cxl/test/mem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/testing/cxl/test/mem.c b/tools/testing/cxl/test/mem.c
> index 271c7ad8cc32..5dc9601a2a7e 100644
> --- a/tools/testing/cxl/test/mem.c
> +++ b/tools/testing/cxl/test/mem.c
> @@ -584,7 +584,7 @@ static int mock_get_log(struct cxl_memdev_state *mds, struct cxl_mbox_cmd *cmd)
> return -EINVAL;
> if (length > cxl_mbox->payload_size)
> return -EINVAL;
> - if (offset + length > sizeof(mock_cel))
> + if (offset > sizeof(mock_cel) || length > sizeof(mock_cel) - offset)
> return -EINVAL;
> if (!uuid_equal(&gl->uuid, &uuid))
> return -EINVAL;
> --
> 2.43.0
>