[PATCH 2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()
Andrew Jones
andrew.jones at oss.qualcomm.com
Fri Mar 6 10:53:10 PST 2026
On Fri, Mar 06, 2026 at 07:37:39AM +0000, Jiakai Xu wrote:
> pmu_fw_ctr_read_hi() has the same issue as pmu_ctr_read(): when a guest
> reads a firmware counter that has not been configured, pmc->event_idx is
> SBI_PMU_EVENT_IDX_INVALID and get_event_code() returns 0xFFFF, causing
> an out-of-bounds access on kvpmu->fw_event[].
This paragraph won't make sense when it's looked at independently in the
commit history. Either don't reference pmu_ctr_read() or just fix both
with the same commit (I don't see any reason to fix them separately -
the fact the two locations getting fixed were merged separately doesn't
matter as a commit can have more than one Fixes tag)
>
> Add the same bounds check on fevent_code before accessing the fw_event
> array.
>
> Fixes: 08fb07d6dcf71 ("RISC-V: KVM: Support 64 bit firmware counters on RV32")
> Signed-off-by: Jiakai Xu <xujiakai2025 at iscas.ac.cn>
> Signed-off-by: Jiakai Xu <jiakaiPeanut at gmail.com>
> ---
> arch/riscv/kvm/vcpu_pmu.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
> index c6d42459c2a1..b7ceda1643ec 100644
> --- a/arch/riscv/kvm/vcpu_pmu.c
> +++ b/arch/riscv/kvm/vcpu_pmu.c
> @@ -227,6 +227,10 @@ static int pmu_fw_ctr_read_hi(struct kvm_vcpu *vcpu, unsigned long cidx,
> return -EINVAL;
>
> fevent_code = get_event_code(pmc->event_idx);
> + if (fevent_code >= SBI_PMU_FW_MAX) {
> + pr_warn("Invalid firmware event code [%d] for counter [%ld]\n", fevent_code, cidx);
Same comment about the pr_warn.
Thanks,
drew
> + return -EINVAL;
> + }
> pmc->counter_val = kvpmu->fw_event[fevent_code].value;
>
> *out_val = pmc->counter_val >> 32;
> --
> 2.34.1
>
>
> --
> kvm-riscv mailing list
> kvm-riscv at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kvm-riscv
More information about the linux-riscv
mailing list