|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging] cpufreq: Avoid potential buffer overrun and leak
commit 2f36bef3d8478f304f262fffeca543de480872a4
Author: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
AuthorDate: Wed Jun 11 11:06:24 2025 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Wed Jun 11 11:06:24 2025 +0200
cpufreq: Avoid potential buffer overrun and leak
If set_px_pminfo is called a second time with a larger state_count than
the first call, calls to PMSTAT_get_pxstat will read beyond the end of
the pt and trans_pt buffers allocated in cpufreq_statistic_init() since
they would have been allocated with the original state_count.
Secondly, the states array leaks on each subsequent call of
set_px_pminfo.
Fix both these issues by ignoring subsequent calls to set_px_pminfo if
it completed successfully previously. Return success rather than an
error to avoid errors in the dom0 kernel log when reloading the
xen_acpi_processor module.
At the same time, fix a leak of the states array on error.
Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
---
xen/drivers/cpufreq/cpufreq.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xen/drivers/cpufreq/cpufreq.c b/xen/drivers/cpufreq/cpufreq.c
index 19e2992335..635f6e8c61 100644
--- a/xen/drivers/cpufreq/cpufreq.c
+++ b/xen/drivers/cpufreq/cpufreq.c
@@ -517,7 +517,7 @@ int set_px_pminfo(uint32_t acpi_id, struct
xen_processor_performance *perf)
}
}
- if ( perf->flags & XEN_PX_PSS )
+ if ( perf->flags & XEN_PX_PSS && !pxpt->states )
{
/* capability check */
if ( perf->state_count <= 1 )
@@ -534,6 +534,7 @@ int set_px_pminfo(uint32_t acpi_id, struct
xen_processor_performance *perf)
}
if ( copy_from_guest(pxpt->states, perf->states, perf->state_count) )
{
+ XFREE(pxpt->states);
ret = -EFAULT;
goto out;
}
--
generated by git-patchbot for /home/xen/git/xen.git#staging
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |