Xen project Mailing List

[PATCH v3 1/5] x86/pmstat: Check size of PMSTAT_get_pxstat buffers

From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>

Date: Tue, 27 May 2025 16:26:31 +0100

Cc: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Tue, 27 May 2025 15:27:00 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Check that the total number of states passed in and hence the size of buffers is sufficient to avoid writing more than the caller has allocated. The interface is not explicit about whether getpx.total is expected to be set by the caller in this case but since it is always set in libxenctrl it seems reasonable to check it and make it explicit. Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> Fixes: c06a7db0c547 ("X86 and IA64: Update cpufreq statistic logic for supporting both x86 and ia64") --- In v3: * Fix if condition * Move some header comments from patch 2 * Clarify some comments xen/drivers/acpi/pmstat.c | 7 +++++-- xen/include/public/sysctl.h | 15 +++++++++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/xen/drivers/acpi/pmstat.c b/xen/drivers/acpi/pmstat.c index c51b9ca358c2..0d570e28bf11 100644 --- a/xen/drivers/acpi/pmstat.c +++ b/xen/drivers/acpi/pmstat.c @@ -103,8 +103,11 @@ int do_get_pm_info(struct xen_sysctl_get_pmstat *op) cpufreq_residency_update(op->cpuid, pxpt->u.cur); - ct = pmpt->perf.state_count; - if ( copy_to_guest(op->u.getpx.trans_pt, pxpt->u.trans_pt, ct*ct) ) + ct = min(pmpt->perf.state_count, op->u.getpx.total + 0U); + + /* Avoid partial copying of 2-D array */ + if ( ct == op->u.getpx.total && + copy_to_guest(op->u.getpx.trans_pt, pxpt->u.trans_pt, ct * ct) ) { spin_unlock(cpufreq_statistic_lock); ret = -EFAULT; diff --git a/xen/include/public/sysctl.h b/xen/include/public/sysctl.h index 9eca72865b87..906a3364fbd9 100644 --- a/xen/include/public/sysctl.h +++ b/xen/include/public/sysctl.h @@ -215,11 +215,22 @@ typedef struct pm_px_val pm_px_val_t; DEFINE_XEN_GUEST_HANDLE(pm_px_val_t); struct pm_px_stat { - uint8_t total; /* total Px states */ + /* + * IN: Number of elements in pt, number of rows/columns in trans_pt + * (PMSTAT_get_pxstat) + * OUT: total Px states (PMSTAT_get_max_px, PMSTAT_get_pxstat) + */ + uint8_t total; uint8_t usable; /* usable Px states */ uint8_t last; /* last Px state */ uint8_t cur; /* current Px state */ - XEN_GUEST_HANDLE_64(uint64) trans_pt; /* Px transition table */ + /* + * OUT: Px transition table. This should have total * total elements. + * As it is a 2-D array, this will not be copied if it is smaller than + * the hypervisor's Px transition table. (PMSTAT_get_pxstat) + */ + XEN_GUEST_HANDLE_64(uint64) trans_pt; + /* OUT: This should have total elements (PMSTAT_get_pxstat) */ XEN_GUEST_HANDLE_64(pm_px_val_t) pt; }; -- 2.49.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.