aboutsummaryrefslogtreecommitdiff
path: root/include/hw
diff options
context:
space:
mode:
authorDmitry Frolov <frolov@swemel.ru>2023-09-19 11:19:25 +0100
committerMichael Tokarev <mjt@tls.msk.ru>2023-09-21 11:31:18 +0300
commitde5bbfc602ef1b9b79c494a914c6083a1a23cca2 (patch)
tree0b113b4d364c64041b1af493431b1c70ff406c08 /include/hw
parent6ff359196d576606a1434145cf05f967a05c08fa (diff)
downloadqemu-de5bbfc602ef1b9b79c494a914c6083a1a23cca2.zip
qemu-de5bbfc602ef1b9b79c494a914c6083a1a23cca2.tar.gz
qemu-de5bbfc602ef1b9b79c494a914c6083a1a23cca2.tar.bz2
hw/cxl: Fix out of bound array access
According to cxl_interleave_ways_enc(), fw->num_targets is allowed to be up to 16. This also corresponds to CXL r3.0 spec. So, the fw->target_hbs[] array is iterated from 0 to 15. But it is statically declared of length 8. Thus, out of bound array access may occur. Fixes: c28db9e000 ("hw/pci-bridge: Make PCIe and CXL PXB Devices inherit from TYPE_PXB_DEV") Signed-off-by: Dmitry Frolov <frolov@swemel.ru> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Link: https://lore.kernel.org/r/20230913101055.754709-1-frolov@swemel.ru Cc: qemu-stable@nongnu.org Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Diffstat (limited to 'include/hw')
-rw-r--r--include/hw/cxl/cxl.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/include/hw/cxl/cxl.h b/include/hw/cxl/cxl.h
index 56c9e76..4944725 100644
--- a/include/hw/cxl/cxl.h
+++ b/include/hw/cxl/cxl.h
@@ -29,7 +29,7 @@ typedef struct PXBCXLDev PXBCXLDev;
typedef struct CXLFixedWindow {
uint64_t size;
char **targets;
- PXBCXLDev *target_hbs[8];
+ PXBCXLDev *target_hbs[16];
uint8_t num_targets;
uint8_t enc_int_ways;
uint8_t enc_int_gran;