[PATCH 2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()

[Jiakai Xu]

pmu_fw_ctr_read_hi() has the same issue as pmu_ctr_read(): when a guest
reads a firmware counter that has not been configured, pmc->event_idx is
SBI_PMU_EVENT_IDX_INVALID and get_event_code() returns 0xFFFF, causing
an out-of-bounds access on kvpmu->fw_event[].

Add the same bounds check on fevent_code before accessing the fw_event
array.

Fixes: 08fb07d6dcf71 ("RISC-V: KVM: Support 64 bit firmware counters on RV32")
Signed-off-by: Jiakai Xu <xujiakai2025 at iscas.ac.cn>
Signed-off-by: Jiakai Xu <jiakaiPeanut at gmail.com>
---
 arch/riscv/kvm/vcpu_pmu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
index c6d42459c2a1..b7ceda1643ec 100644
--- a/arch/riscv/kvm/vcpu_pmu.c
+++ b/arch/riscv/kvm/vcpu_pmu.c
@@ -227,6 +227,10 @@ static int pmu_fw_ctr_read_hi(struct kvm_vcpu *vcpu, unsigned long cidx,
 		return -EINVAL;
 
 	fevent_code = get_event_code(pmc->event_idx);
+	if (fevent_code >= SBI_PMU_FW_MAX) {
+		pr_warn("Invalid firmware event code [%d] for counter [%ld]\n", fevent_code, cidx);
+		return -EINVAL;
+	}
 	pmc->counter_val = kvpmu->fw_event[fevent_code].value;
 
 	*out_val = pmc->counter_val >> 32;
-- 
2.34.1