1. Patchew
  2. Xen
  3. View series

[PATCH] x86/pmstat: correct PMSTAT_get_pxstat buffer size checking

Jan Beulich posted 1 patch 4 months, 2 weeks ago
Failed in applying to current master (apply log)
[PATCH] x86/pmstat: correct PMSTAT_get_pxstat buffer size checking
Posted by Jan Beulich 4 months, 2 weeks ago 
min(pmpt->perf.state_count, op->u.getpx.total) == op->u.getpx.total can
be expressed differently as pmpt->perf.state_count >= op->u.getpx.total.
Copying when the two are equal is fine; (partial) copying when the state
count is larger than the number of array elements that a buffer was
allocated to hold is what - as per the comment - we mean to avoid. Drop
the use of min() again, but retain its effect for the subsequent copying
from pxpt->u.pt.

Fixes: aa70996a6896 ("x86/pmstat: Check size of PMSTAT_get_pxstat buffers")
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/drivers/acpi/pmstat.c
+++ b/xen/drivers/acpi/pmstat.c
@@ -272,11 +272,14 @@ int do_get_pm_info(struct xen_sysctl_get
 
         cpufreq_residency_update(op->cpuid, pxpt->u.cur);
 
-        ct = min(pmpt->perf.state_count, op->u.getpx.total + 0U);
-
-        /* Avoid partial copying of 2-D array */
-        if ( ct == op->u.getpx.total &&
-             copy_to_guest(op->u.getpx.trans_pt, pxpt->u.trans_pt, ct * ct) )
+        /*
+         * Avoid partial copying of 2-D array, whereas partial copying of a
+         * simple vector (further down) is deemed okay.
+         */
+        ct = pmpt->perf.state_count;
+        if ( ct > op->u.getpx.total )
+            ct = op->u.getpx.total;
+        else if ( copy_to_guest(op->u.getpx.trans_pt, pxpt->u.trans_pt, ct * ct) )
         {
             spin_unlock(cpufreq_statistic_lock);
             ret = -EFAULT;
Re: [PATCH] x86/pmstat: correct PMSTAT_get_pxstat buffer size checking
Posted by Ross Lagerwall 4 months, 2 weeks ago 
On Mon, Jun 16, 2025 at 1:00 PM Jan Beulich <jbeulich@suse.com> wrote:
>
> min(pmpt->perf.state_count, op->u.getpx.total) == op->u.getpx.total can
> be expressed differently as pmpt->perf.state_count >= op->u.getpx.total.
> Copying when the two are equal is fine; (partial) copying when the state
> count is larger than the number of array elements that a buffer was
> allocated to hold is what - as per the comment - we mean to avoid. Drop
> the use of min() again, but retain its effect for the subsequent copying
> from pxpt->u.pt.
>
> Fixes: aa70996a6896 ("x86/pmstat: Check size of PMSTAT_get_pxstat buffers")
> Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>

Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>

Thanks,
Ross

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.