1. Patchew
  2. linux
  3. [PATCH 0/2] RISC-V: KVM: Fix array out-of-bounds in firmware counter reads
  4. View patch

[PATCH 2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()

Jiakai Xu posted 2 patches 1 month ago
There is a newer version of this series
[PATCH 2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()
Posted by Jiakai Xu 1 month ago 
pmu_fw_ctr_read_hi() has the same issue as pmu_ctr_read(): when a guest
reads a firmware counter that has not been configured, pmc->event_idx is
SBI_PMU_EVENT_IDX_INVALID and get_event_code() returns 0xFFFF, causing
an out-of-bounds access on kvpmu->fw_event[].

Add the same bounds check on fevent_code before accessing the fw_event
array.

Fixes: 08fb07d6dcf71 ("RISC-V: KVM: Support 64 bit firmware counters on RV32")
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
---
 arch/riscv/kvm/vcpu_pmu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
index c6d42459c2a1..b7ceda1643ec 100644
--- a/arch/riscv/kvm/vcpu_pmu.c
+++ b/arch/riscv/kvm/vcpu_pmu.c
@@ -227,6 +227,10 @@ static int pmu_fw_ctr_read_hi(struct kvm_vcpu *vcpu, unsigned long cidx,
 		return -EINVAL;
 
 	fevent_code = get_event_code(pmc->event_idx);
+	if (fevent_code >= SBI_PMU_FW_MAX) {
+		pr_warn("Invalid firmware event code [%d] for counter [%ld]\n", fevent_code, cidx);
+		return -EINVAL;
+	}
 	pmc->counter_val = kvpmu->fw_event[fevent_code].value;
 
 	*out_val = pmc->counter_val >> 32;
-- 
2.34.1
Re: [PATCH 2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()
Posted by Andrew Jones 1 month ago 
On Fri, Mar 06, 2026 at 07:37:39AM +0000, Jiakai Xu wrote:
> pmu_fw_ctr_read_hi() has the same issue as pmu_ctr_read(): when a guest
> reads a firmware counter that has not been configured, pmc->event_idx is
> SBI_PMU_EVENT_IDX_INVALID and get_event_code() returns 0xFFFF, causing
> an out-of-bounds access on kvpmu->fw_event[].

This paragraph won't make sense when it's looked at independently in the
commit history. Either don't reference pmu_ctr_read() or just fix both
with the same commit (I don't see any reason to fix them separately -
the fact the two locations getting fixed were merged separately doesn't
matter as a commit can have more than one Fixes tag)

> 
> Add the same bounds check on fevent_code before accessing the fw_event
> array.
> 
> Fixes: 08fb07d6dcf71 ("RISC-V: KVM: Support 64 bit firmware counters on RV32")
> Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
> Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
> ---
>  arch/riscv/kvm/vcpu_pmu.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
> index c6d42459c2a1..b7ceda1643ec 100644
> --- a/arch/riscv/kvm/vcpu_pmu.c
> +++ b/arch/riscv/kvm/vcpu_pmu.c
> @@ -227,6 +227,10 @@ static int pmu_fw_ctr_read_hi(struct kvm_vcpu *vcpu, unsigned long cidx,
>  		return -EINVAL;
>  
>  	fevent_code = get_event_code(pmc->event_idx);
> +	if (fevent_code >= SBI_PMU_FW_MAX) {
> +		pr_warn("Invalid firmware event code [%d] for counter [%ld]\n", fevent_code, cidx);

Same comment about the pr_warn.

Thanks,
drew

> +		return -EINVAL;
> +	}
>  	pmc->counter_val = kvpmu->fw_event[fevent_code].value;
>  
>  	*out_val = pmc->counter_val >> 32;
> -- 
> 2.34.1
> 
> 
> -- 
> kvm-riscv mailing list
> kvm-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kvm-riscv

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.