Re: [PATCH] cxl/features: bound fwctl command payload to the input buffer
From: Dave Jiang
Date: Mon Jul 06 2026 - 15:40:55 EST
On 7/6/26 8:54 AM, Jason Gunthorpe wrote:
> On Sat, Jun 20, 2026 at 12:33:15PM +0800, Zhenhao Wan wrote:
>> fwctl_cmd_rpc() copies cmd->in_len bytes into inbuf = kvzalloc(cmd->in_len)
>> and passes inbuf and in_len to ->fw_rpc(). The CXL callback cxlctl_fw_rpc()
>> ignores in_len and never checks the user-controlled op_size against it.
>>
>> cxlctl_set_feature() bounds op_size only from below
>> (op_size <= sizeof(feat_in->hdr)) and then reads op_size - sizeof(hdr)
>> bytes from feat_in->feat_data via cxl_set_feature(). With a small in_len
>> and a large op_size the first memcpy() already reads past the
>> kvzalloc(in_len) buffer; the out-of-bounds bytes are placed in the mailbox
>> payload and sent to the device, and a large enough op_size can walk into
>> unmapped memory and oops the kernel. The Get paths pin op_size to a fixed
>> size but likewise read the input struct without checking in_len.
>>
>> Reject, at the single dispatch point, any request whose fixed header plus
>> op_size does not fit in the copied-in buffer. The lower-bound test guards
>> the subtraction and ensures op_size was copied in before it is read.
>>
>> Fixes: eb5dfcb9e36d ("cxl: Add support to handle user feature commands for set feature")
>> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
>> Signed-off-by: Zhenhao Wan <whi4ed0g@xxxxxxxxx>
>> ---
>> drivers/cxl/core/features.c | 8 +++++++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
>
> CXL folks, you will pick this up?
>
> I think it should be cc stable too
Thanks for the review Jason. I'll pick it up. I actually had the same fix in a branch locally but haven't got around to post yet.
>
> Jason