[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.19] cpufreq: Avoid potential buffer overrun and leak

commit 2b82a9d8819accb0c50953176e8a4153acaf0980
Author:     Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
AuthorDate: Thu Jun 26 08:49:06 2025 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Jun 26 08:49:06 2025 +0200

    cpufreq: Avoid potential buffer overrun and leak
    
    If set_px_pminfo is called a second time with a larger state_count than
    the first call, calls to PMSTAT_get_pxstat will read beyond the end of
    the pt and trans_pt buffers allocated in cpufreq_statistic_init() since
    they would have been allocated with the original state_count.
    
    Secondly, the states array leaks on each subsequent call of
    set_px_pminfo.
    
    Fix both these issues by ignoring subsequent calls to set_px_pminfo if
    it completed successfully previously. Return success rather than an
    error to avoid errors in the dom0 kernel log when reloading the
    xen_acpi_processor module.
    
    At the same time, fix a leak of the states array on error.
    
    Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: 2f36bef3d8478f304f262fffeca543de480872a4
    master date: 2025-06-11 11:06:24 +0200
---
 xen/drivers/cpufreq/cpufreq.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/drivers/cpufreq/cpufreq.c b/xen/drivers/cpufreq/cpufreq.c
index 8659ad3aee..3bdf86a52a 100644
--- a/xen/drivers/cpufreq/cpufreq.c
+++ b/xen/drivers/cpufreq/cpufreq.c
@@ -510,7 +510,7 @@ int set_px_pminfo(uint32_t acpi_id, struct 
xen_processor_performance *perf)
         }
     }
 
-    if ( perf->flags & XEN_PX_PSS )
+    if ( perf->flags & XEN_PX_PSS && !pxpt->states )
     {
         /* capability check */
         if ( perf->state_count <= 1 )
@@ -527,6 +527,7 @@ int set_px_pminfo(uint32_t acpi_id, struct 
xen_processor_performance *perf)
         }
         if ( copy_from_guest(pxpt->states, perf->states, perf->state_count) )
         {
+            XFREE(pxpt->states);
             ret = -EFAULT;
             goto out;
         }
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.19

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.