| Message ID | 20260228152226.2116895-1-ethantidmore06@gmail.com |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | RISC-V: KVM: Fix out-of-bounds by 1 | expand |
On Sat, Feb 28, 2026 at 8:52 PM Ethan Tidmore <ethantidmore06@gmail.com> wrote: > > The array kvpmu->pmc is defined as: > > struct kvm_pmc pmc[RISCV_KVM_MAX_COUNTERS]; > > So, accessing it with index RISCV_KVM_MAX_COUNTERS would be > out-of-bounds by 1. > > Change index check from > to >=. > > Detected by Smatch: > arch/riscv/kvm/vcpu_pmu.c:528 kvm_riscv_vcpu_pmu_ctr_info() error: > buffer overflow 'kvpmu->pmc' 64 <= 64 > > Fixes: 8f0153ecd3bf1 ("RISC-V: KVM: Add skeleton support for perf") > Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com> Radim had already sent a similar which was merged. Refer, https://lore.kernel.org/r/20260227134617.23378-1-radim.krcmar@oss.qualcomm.com Regards, Anup > --- > arch/riscv/kvm/vcpu_pmu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c > index 3a4d54aa96d8..51a12f90fb30 100644 > --- a/arch/riscv/kvm/vcpu_pmu.c > +++ b/arch/riscv/kvm/vcpu_pmu.c > @@ -520,7 +520,7 @@ int kvm_riscv_vcpu_pmu_ctr_info(struct kvm_vcpu *vcpu, unsigned long cidx, > { > struct kvm_pmu *kvpmu = vcpu_to_pmu(vcpu); > > - if (cidx > RISCV_KVM_MAX_COUNTERS || cidx == 1) { > + if (cidx >= RISCV_KVM_MAX_COUNTERS || cidx == 1) { > retdata->err_val = SBI_ERR_INVALID_PARAM; > return 0; > } > -- > 2.53.0 >
On Sat Feb 28, 2026 at 9:22 AM CST, Ethan Tidmore wrote: > The array kvpmu->pmc is defined as: > > struct kvm_pmc pmc[RISCV_KVM_MAX_COUNTERS]; > > So, accessing it with index RISCV_KVM_MAX_COUNTERS would be > out-of-bounds by 1. > > Change index check from > to >=. > > Detected by Smatch: > arch/riscv/kvm/vcpu_pmu.c:528 kvm_riscv_vcpu_pmu_ctr_info() error: > buffer overflow 'kvpmu->pmc' 64 <= 64 > > Fixes: 8f0153ecd3bf1 ("RISC-V: KVM: Add skeleton support for perf") > Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com> > --- Friendly ping. Thanks, ET
Hello: This patch was applied to riscv/linux.git (for-next) by Anup Patel <anup@brainfault.org>: On Sat, 28 Feb 2026 09:22:26 -0600 you wrote: > The array kvpmu->pmc is defined as: > > struct kvm_pmc pmc[RISCV_KVM_MAX_COUNTERS]; > > So, accessing it with index RISCV_KVM_MAX_COUNTERS would be > out-of-bounds by 1. > > [...] Here is the summary with links: - RISC-V: KVM: Fix out-of-bounds by 1 https://git.kernel.org/riscv/c/5c1bb0787111 You are awesome, thank you!
diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c index 3a4d54aa96d8..51a12f90fb30 100644 --- a/arch/riscv/kvm/vcpu_pmu.c +++ b/arch/riscv/kvm/vcpu_pmu.c @@ -520,7 +520,7 @@ int kvm_riscv_vcpu_pmu_ctr_info(struct kvm_vcpu *vcpu, unsigned long cidx, { struct kvm_pmu *kvpmu = vcpu_to_pmu(vcpu); - if (cidx > RISCV_KVM_MAX_COUNTERS || cidx == 1) { + if (cidx >= RISCV_KVM_MAX_COUNTERS || cidx == 1) { retdata->err_val = SBI_ERR_INVALID_PARAM; return 0; }
The array kvpmu->pmc is defined as: struct kvm_pmc pmc[RISCV_KVM_MAX_COUNTERS]; So, accessing it with index RISCV_KVM_MAX_COUNTERS would be out-of-bounds by 1. Change index check from > to >=. Detected by Smatch: arch/riscv/kvm/vcpu_pmu.c:528 kvm_riscv_vcpu_pmu_ctr_info() error: buffer overflow 'kvpmu->pmc' 64 <= 64 Fixes: 8f0153ecd3bf1 ("RISC-V: KVM: Add skeleton support for perf") Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com> --- arch/riscv/kvm/vcpu_pmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)