[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] x86/pmstat: correct PMSTAT_get_pxstat buffer size checking

commit fb16c7411d6e1278155c144fd3310a12f2efbf5e
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Wed Jun 18 09:25:09 2025 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Wed Jun 18 09:25:09 2025 +0200

    x86/pmstat: correct PMSTAT_get_pxstat buffer size checking
    
    min(pmpt->perf.state_count, op->u.getpx.total) == op->u.getpx.total can
    be expressed differently as pmpt->perf.state_count >= op->u.getpx.total.
    Copying when the two are equal is fine; (partial) copying when the state
    count is larger than the number of array elements that a buffer was
    allocated to hold is what - as per the comment - we mean to avoid. Drop
    the use of min() again, but retain its effect for the subsequent copying
    from pxpt->u.pt.
    
    Fixes: aa70996a6896 ("x86/pmstat: Check size of PMSTAT_get_pxstat buffers")
    Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
---
 xen/drivers/acpi/pmstat.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/xen/drivers/acpi/pmstat.c b/xen/drivers/acpi/pmstat.c
index 2a1f5493fa..80dc121e14 100644
--- a/xen/drivers/acpi/pmstat.c
+++ b/xen/drivers/acpi/pmstat.c
@@ -272,11 +272,14 @@ int do_get_pm_info(struct xen_sysctl_get_pmstat *op)
 
         cpufreq_residency_update(op->cpuid, pxpt->u.cur);
 
-        ct = min(pmpt->perf.state_count, op->u.getpx.total + 0U);
-
-        /* Avoid partial copying of 2-D array */
-        if ( ct == op->u.getpx.total &&
-             copy_to_guest(op->u.getpx.trans_pt, pxpt->u.trans_pt, ct * ct) )
+        /*
+         * Avoid partial copying of 2-D array, whereas partial copying of a
+         * simple vector (further down) is deemed okay.
+         */
+        ct = pmpt->perf.state_count;
+        if ( ct > op->u.getpx.total )
+            ct = op->u.getpx.total;
+        else if ( copy_to_guest(op->u.getpx.trans_pt, pxpt->u.trans_pt, ct * 
ct) )
         {
             spin_unlock(cpufreq_statistic_lock);
             ret = -EFAULT;
--
generated by git-patchbot for /home/xen/git/xen.git#master

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.