[PATCH v3 2/3] cxl/features: Reject Set Features output buffer smaller than the header

Next message: Richard Cheng: "[PATCH v3 3/3] cxl/features: Clamp Get Feature output size to the remaining buffer"
Previous message: Richard Cheng: "[PATCH v3 1/3] cxl/features: Reject Get Feature count larger than the output buffer"
In reply to: Richard Cheng: "[PATCH v3 1/3] cxl/features: Reject Get Feature count larger than the output buffer"
Next in thread: Richard Cheng: "[PATCH v3 3/3] cxl/features: Clamp Get Feature output size to the remaining buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Richard Cheng

Date: Fri Jun 26 2026 - 06:42:01 EST

cxlctl_set_feature() sizes its output buffer from the user's
fwctl_rpc.out_len but never checks it is large enough to hold even the
fwctl_rpc_cxl_out header. With out_len == 0 , kvzalloc() returns
ZERO_SIZE_PTR, which passes the !rpc_out check, the subsequent
rpc_out->size = 0 then writes through the poison pointer.

Reject requests whose output buffer can't hold the response header,
before allocating. The Set Feature reply carries no payload, so the
header is all that is required.

Fixes: eb5dfcb9e36d ("cxl: Add support to handle user feature commands for set feature")
Signed-off-by: Richard Cheng <icheng@xxxxxxxxxx>
---
Changelog:

v2 -> v3:
- New patch.

drivers/cxl/core/features.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/cxl/core/features.c b/drivers/cxl/core/features.c
index 9c714ee42a41..ed18ccb5e236 100644
--- a/drivers/cxl/core/features.c
+++ b/drivers/cxl/core/features.c
@@ -520,6 +520,9 @@ static void *cxlctl_set_feature(struct cxl_features_state *cxlfs,
flags = le32_to_cpu(feat_in->flags);
out_size = *out_len;

+ if (out_size < offsetof(struct fwctl_rpc_cxl_out, payload))
+ return ERR_PTR(-EINVAL);
+
struct fwctl_rpc_cxl_out *rpc_out __free(kvfree) =
kvzalloc(out_size, GFP_KERNEL);
if (!rpc_out)
--
2.43.0