fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
qemu-cr16/hw
History
Jonathan Cameron fd0abbb386 hw/cxl: Check for overflow on santize media as both base and offset 64bit. 
The both the size and base of a media sanitize operation are both provided
by the VM, an overflow is possible which may result in checks on valid
range passing when they should not.  Close that by checking for overflow
on the addition.

Fixes: 40ab4ed107 ("hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3)")
Closes: https://lore.kernel.org/qemu-devel/CAFEAcA8Rqop+ju0fuxN+0T57NBG+bep80z45f6pY0ci2fz_G3A@mail.gmail.com/
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260102154731.474859-2-Jonathan.Cameron@huawei.com>
(cherry picked from commit 87f8e5a71d061964c9bfa4d6e02db47f54dd61f7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2026-02-06 01:12:25 +03:00
..
9pfs hw/9pfs: Correct typo 2025-12-09 20:42:59 +01:00
acpi acpi/generic_event_device.c: enable use_hest_addr for QEMU 10.x 2025-10-05 08:06:32 -04:00
adc hw/adc: Fix out-of-bounds write in Aspeed ADC model 2026-02-06 00:02:27 +03:00
alpha hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
arm hw/arm/aspeed_ast27x0: Fix EHCI3/4 IRQ routing to GIC 2026-02-06 00:07:28 +03:00
audio hw/audio/lm4549: Don't try to open a zero-frequency audio voice 2025-11-14 13:20:10 +00:00
avr qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
block block: enable stats-intervals for storage devices 2025-10-29 12:10:09 +01:00
char * char: rename CharBackend->CharFrontend 2025-10-29 10:43:56 +01:00
core qdev: fix error handling in set_uint64_checkmask 2025-12-17 09:23:38 +01:00
cpu qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
cxl hw/cxl: Check for overflow on santize media as both base and offset 64bit. 2026-02-06 01:12:25 +03:00
display virtio-gpu: fix error handling in virgl_cmd_resource_create_blob 2026-02-06 01:07:26 +03:00
dma hw/dma/zynq-devcfg: Fix register memory 2025-11-18 19:59:31 +01:00
fsi qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
gpio hw/gpio/pl061: Declare pullups/pulldowns as 8-bit types 2025-10-31 16:26:44 +00:00
hppa hw/hppa: Enable LASI i82596 network on 715 machine 2025-11-04 16:14:51 +01:00
hyperv system/ramblock: Move ram_block_discard_*_range() declarations 2025-10-07 03:37:03 +02:00
i2c hw/i2c/aspeed_i2c: Fix DMA moving data into incorrect address 2026-02-06 00:13:25 +03:00
i386 hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq() 2026-01-16 14:29:24 +03:00
ide hw/ide/ide-internal: Move dma_buf_commit() into ide "namespace" 2025-10-21 20:16:47 +02:00
input hid: fix incorrect return value for hid 2025-10-05 09:46:06 +03:00
intc hw/intc: avoid byte swap fiddling in gicv3 its path 2026-01-24 09:20:18 +03:00
ipack qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
ipmi * char: rename CharBackend->CharFrontend 2025-10-29 10:43:56 +01:00
isa x86: ich9: fix default value of 'No Reboot' bit in GCS 2025-10-05 09:01:08 -04:00
loongarch hw/loongarch/virt: Don't abort on access to unimplemented IOCSR 2026-01-18 19:35:21 +03:00
m68k hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
mem cxl: Clean up includes 2025-11-14 13:18:04 +00:00
microblaze hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
mips * char: rename CharBackend->CharFrontend 2025-10-29 10:43:56 +01:00
misc hw/aspeed/{xdma, rtc, sdhci}: Fix endianness to DEVICE_LITTLE_ENDIAN 2025-11-25 22:45:30 +01:00
net Revert "hw/net/virtio-net: make VirtIONet.vlans an array instead of a pointer" 2025-12-09 21:00:15 +01:00
nubus hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
nvme hw/nvme: Fix bootindex suffix use-after-free 2026-02-03 10:59:53 +03:00
nvram nw/nvram/ds1225y: Fix nvram MemoryRegion owner 2025-10-28 08:19:18 +01:00
openrisc hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
pci pcie_sriov: Fix PCI_SRIOV_* accesses in pcie_sriov_pf_exit() 2026-02-06 00:45:06 +03:00
pci-bridge hw/arm/smmu-common: Check SMMU has PCIe Root Complex association 2025-09-16 17:31:54 +01:00
pci-host q35: Fix migration of SMRAM state 2026-02-06 00:46:09 +03:00
ppc target/ppc: Fix env->quiesced migration 2026-01-13 11:07:34 +03:00
remote hw: Remove unnecessary 'system/ram_addr.h' header 2025-10-07 05:03:56 +02:00
riscv hw/riscv: Replace target_ulong uses 2025-10-30 14:48:26 +01:00
rtc hw/aspeed/{xdma, rtc, sdhci}: Fix endianness to DEVICE_LITTLE_ENDIAN 2025-11-25 22:45:30 +01:00
rx hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
s390x hw/s390x: Fix a possible crash with passed-through virtio devices 2025-11-21 08:33:15 +01:00
scsi hw/scsi: Use error_setg_file_open() for a better error message 2025-11-25 22:41:49 +01:00
sd hw/sd/sdhci: Fix TYPE_IMX_USDHC to implement sd-spec-version 3 by default 2026-01-21 10:23:05 +03:00
sensor qemu: Declare all load/store helper in 'qemu/bswap.h' 2025-07-15 02:56:39 -04:00
sh4 hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
smbios hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
sparc hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
sparc64 hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
ssi hw/ssi/aspeed_smc: Fix incorrect FMC_WDT2 register read on AST1030 2025-08-04 09:07:38 +02:00
timer hw/pcspk: use explicitly the required PIT types 2025-10-22 08:55:28 +02:00
tpm qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
tricore qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
uefi hw/uefi: fix size negotiation 2026-02-04 11:00:23 +03:00
ufs hw/ufs: Fix mcq completion queue wraparound 2026-02-02 16:21:37 +03:00
usb hw/usb: Convert to qemu_create() for a better error message 2025-11-25 22:41:47 +01:00
vfio Fix the typo of vfio-pci device's enable-migration option 2025-11-21 15:53:06 +03:00
vfio-user vfio-user: recycle msg on failure 2025-12-03 15:07:47 +01:00
virtio virtio-pmem: ignore empty queue notifications 2026-02-06 01:00:27 +03:00
vmapple hw/gpio/pl061: Declare pullups/pulldowns as 8-bit types 2025-10-31 16:26:44 +00:00
watchdog wdt_i6300esb: fix incorrect mask for interrupt type 2025-10-05 09:46:06 +03:00
xen hw/xen: Build only once 2025-10-30 14:48:26 +01:00
xenpv hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
xtensa hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
Kconfig vfio-user: add vfio-user class and container 2025-06-26 08:55:38 +02:00
meson.build hw/meson: enter target hw first 2025-09-02 17:57:05 +02:00