[PATCH v3 0/3] cxl/features: Bounds-check the fwctl feature commands

Next message: Richard Cheng: "[PATCH v3 1/3] cxl/features: Reject Get Feature count larger than the output buffer"
Previous message: Charles Keepax: "Re: [PATCH 04/24] ASoC: codecs: arizona: Use guard() for mutex locks"
Next in thread: Richard Cheng: "[PATCH v3 1/3] cxl/features: Reject Get Feature count larger than the output buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Richard Cheng

Date: Fri Jun 26 2026 - 06:41:32 EST

The CXL fwctl feature handlers take buffer sizes from userspace, which is
out_len, and from the device without fully checking them. This series
adds the missing bounds checks.

Patch 1: reject a Get Feature whose count is larger than the output
buffer.
Patch 2: reject a Set Feature whose output buffer is too small for the
reply header. A zero out_len makes kvzalloc() return
ZERO_SIZE_PTR, and the header write then corrupts memory.
Patch 3: clamp the Get Feature read loop to the room left in the output
buffer, so a device that returns more than requested cannot
write past it.

A related gap is fixed separately by Zhenhao Wan's patch [1].

Changes since v2:
- Expand the single Get Feature fix into a series that also covers
the Set Feature output buffer and the Get Feature read loop.

[1]:
https://lore.kernel.org/all/20260620-cxl-fwctl-oob-v1-1-5758e34d784a@xxxxxxxxx/

Richard Cheng (3):
cxl/features: Reject Get Feature count larger than the output buffer
cxl/features: Reject Set Features output buffer smaller than the
header
cxl/features: Clamp Get Feature output size to the remaining buffer

drivers/cxl/core/features.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

base-commit: ef0c9f75a19532d7675384708fc8621e10850104
--
2.43.0