On Wed, 13 May 2026 16:41:48 -0500 Aaron Esau <[email protected]> wrote:
> Hi mjt, > > I haven't contributed to qemu before. Am I responsible for anything > beyond submitting the patch here, to get this merged into master? > > - Aaron > > On Wed, May 13, 2026 at 1:35 AM Michael Tokarev <[email protected]> wrote: > > > > On 16.04.2026 23:07, Aaron Esau wrote: > > > From: Aaron Esau <[email protected]> > > > > > > The memmove in cmd_logs_get_log() uses cci->cel_log + get_log->offset, > > > which performs pointer arithmetic in units of sizeof(struct cel_log) > > > (4 bytes per element). However, per CXL r3.1 Section 8.2.9.5.2, the > > > offset field is a byte offset into the log. > > > > > > The existing bounds check correctly treats offset as a byte value: > > > > > > (uint64_t)get_log->offset + get_log->length >= sizeof(cci->cel_log) > > > > ... > > > > Ping? > > > > Has this patchset been forgotten, or is it not needed anymore? > > If it's needed, it would be nice if it lands in the master branch > > in the next 10 days. Sorry, this is me running slow due to other demands. I'm just catching up with the qemu list as the email address this went to for me is dead. Looks like my maintainers update hasn't been picked up by anyone yet. The fix may look frightening but for now it's hardening only as offset passed by all the guest software stacks I know of is always 0. Fix looks correct to me. I'll queue it up on my cxl tree but more than happy if this goes directly via someone else. Reviewed-by: Jonathan Cameron <[email protected]> + cc linux-cxl (and my kernel.org) address so that folk are aware of the potential issue. Thanks, Jonathan > > Thanks, > > > > /mjt > >
