| Message ID | 20260306073739.3441292-3-xujiakai2025@iscas.ac.cn |
|---|---|
| State | Superseded |
| Headers | show |
| Series | RISC-V: KVM: Fix array out-of-bounds in firmware counter reads | expand |
On Fri, Mar 06, 2026 at 07:37:39AM +0000, Jiakai Xu wrote: > pmu_fw_ctr_read_hi() has the same issue as pmu_ctr_read(): when a guest > reads a firmware counter that has not been configured, pmc->event_idx is > SBI_PMU_EVENT_IDX_INVALID and get_event_code() returns 0xFFFF, causing > an out-of-bounds access on kvpmu->fw_event[]. This paragraph won't make sense when it's looked at independently in the commit history. Either don't reference pmu_ctr_read() or just fix both with the same commit (I don't see any reason to fix them separately - the fact the two locations getting fixed were merged separately doesn't matter as a commit can have more than one Fixes tag) > > Add the same bounds check on fevent_code before accessing the fw_event > array. > > Fixes: 08fb07d6dcf71 ("RISC-V: KVM: Support 64 bit firmware counters on RV32") > Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn> > Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com> > --- > arch/riscv/kvm/vcpu_pmu.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c > index c6d42459c2a1..b7ceda1643ec 100644 > --- a/arch/riscv/kvm/vcpu_pmu.c > +++ b/arch/riscv/kvm/vcpu_pmu.c > @@ -227,6 +227,10 @@ static int pmu_fw_ctr_read_hi(struct kvm_vcpu *vcpu, unsigned long cidx, > return -EINVAL; > > fevent_code = get_event_code(pmc->event_idx); > + if (fevent_code >= SBI_PMU_FW_MAX) { > + pr_warn("Invalid firmware event code [%d] for counter [%ld]\n", fevent_code, cidx); Same comment about the pr_warn. Thanks, drew > + return -EINVAL; > + } > pmc->counter_val = kvpmu->fw_event[fevent_code].value; > > *out_val = pmc->counter_val >> 32; > -- > 2.34.1 > > > -- > kvm-riscv mailing list > kvm-riscv@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/kvm-riscv
diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c index c6d42459c2a1..b7ceda1643ec 100644 --- a/arch/riscv/kvm/vcpu_pmu.c +++ b/arch/riscv/kvm/vcpu_pmu.c @@ -227,6 +227,10 @@ static int pmu_fw_ctr_read_hi(struct kvm_vcpu *vcpu, unsigned long cidx, return -EINVAL; fevent_code = get_event_code(pmc->event_idx); + if (fevent_code >= SBI_PMU_FW_MAX) { + pr_warn("Invalid firmware event code [%d] for counter [%ld]\n", fevent_code, cidx); + return -EINVAL; + } pmc->counter_val = kvpmu->fw_event[fevent_code].value; *out_val = pmc->counter_val >> 32;
pmu_fw_ctr_read_hi() has the same issue as pmu_ctr_read(): when a guest reads a firmware counter that has not been configured, pmc->event_idx is SBI_PMU_EVENT_IDX_INVALID and get_event_code() returns 0xFFFF, causing an out-of-bounds access on kvpmu->fw_event[]. Add the same bounds check on fevent_code before accessing the fw_event array. Fixes: 08fb07d6dcf71 ("RISC-V: KVM: Support 64 bit firmware counters on RV32") Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn> Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com> --- arch/riscv/kvm/vcpu_pmu.c | 4 ++++ 1 file changed, 4 insertions(+)