|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH v3 3/5] cpufreq: Avoid potential buffer overrun and leak
If set_px_pminfo is called a second time with a larger state_count than
the first call, calls to PMSTAT_get_pxstat will read beyond the end of
the pt and trans_pt buffers allocated in cpufreq_statistic_init() since
they would have been allocated with the original state_count.
Secondly, the states array leaks on each subsequent call of
set_px_pminfo.
Fix both these issues by ignoring subsequent calls to set_px_pminfo if
it completed successfully previously. Return success rather than an
error to avoid errors in the dom0 kernel log when reloading the
xen_acpi_processor module.
At the same time, fix a leak of the states array on error.
Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
---
In v3:
* Return success rather than an error when called a second time
* Use XFREE
xen/drivers/cpufreq/cpufreq.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xen/drivers/cpufreq/cpufreq.c b/xen/drivers/cpufreq/cpufreq.c
index 19e29923356a..635f6e8c61a5 100644
--- a/xen/drivers/cpufreq/cpufreq.c
+++ b/xen/drivers/cpufreq/cpufreq.c
@@ -517,7 +517,7 @@ int set_px_pminfo(uint32_t acpi_id, struct
xen_processor_performance *perf)
}
}
- if ( perf->flags & XEN_PX_PSS )
+ if ( perf->flags & XEN_PX_PSS && !pxpt->states )
{
/* capability check */
if ( perf->state_count <= 1 )
@@ -534,6 +534,7 @@ int set_px_pminfo(uint32_t acpi_id, struct
xen_processor_performance *perf)
}
if ( copy_from_guest(pxpt->states, perf->states, perf->state_count) )
{
+ XFREE(pxpt->states);
ret = -EFAULT;
goto out;
}
--
2.49.0
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |