When a guest reads a firmware PMU counter via
SBI_EXT_PMU_COUNTER_FW_READ or SBI_EXT_PMU_COUNTER_FW_READ_HI without
first configuring it with SBI_EXT_PMU_COUNTER_CFG_MATCH, the counter's
event_idx remains SBI_PMU_EVENT_IDX_INVALID (0xFFFFFFFF).
get_event_code() extracts the lower 16 bits from event_idx, yielding
0xFFFF, which is then used to index into kvpmu->fw_event[]. Since the
fw_event array only contains RISCV_KVM_MAX_FW_CTRS entries, this results
in an out-of-bounds access that can be detected by UBSAN.
Patch 1 fixes the issue by validating the firmware event code before
accessing the fw_event array and returning -EINVAL for invalid values.
After fixing the kernel behavior, the existing KVM selftest
(sbi_pmu_test) fails because it attempts to read firmware counters
without configuring them first. Patch 2 updates the selftest to
configure a firmware event before reading the counter and adds a
negative test to ensure that reading an unconfigured firmware counter
fails gracefully.
Jiakai Xu (2):
RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and
pmu_fw_ctr_read_hi()
RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test
arch/riscv/kvm/vcpu_pmu.c | 4 +++
.../testing/selftests/kvm/include/riscv/sbi.h | 28 +++++++++++++++++++
.../selftests/kvm/riscv/sbi_pmu_test.c | 16 ++++++++++-
3 files changed, 47 insertions(+), 1 deletion(-)
--
2.34.1
