[PATCH v2 3/5] cpufreq: Avoid potential buffer overrun and leak

[Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>]

If set_px_pminfo is called a second time with a larger state_count than
the first call, calls to PMSTAT_get_pxstat will read beyond the end of
the pt and trans_pt buffers allocated in cpufreq_statistic_init() since
they would have been allocated with the original state_count.

Secondly, the states array leaks on each subsequent call of
set_px_pminfo.

As far as I know, there is no valid reason to call set_px_pminfo
multiple times for the same CPU so fix both these issues by disallowing
it.

At the same time, fix a leak of the states array on error.

Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
---

* New in v2.

 xen/drivers/cpufreq/cpufreq.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/xen/drivers/cpufreq/cpufreq.c b/xen/drivers/cpufreq/cpufreq.c
index 19e29923356a..bf65403ff50b 100644
--- a/xen/drivers/cpufreq/cpufreq.c
+++ b/xen/drivers/cpufreq/cpufreq.c
@@ -520,7 +520,7 @@ int set_px_pminfo(uint32_t acpi_id, struct 
xen_processor_performance *perf)
     if ( perf->flags & XEN_PX_PSS )
     {
         /* capability check */
-        if ( perf->state_count <= 1 )
+        if ( perf->state_count <= 1 || pxpt->states )
         {
             ret = -EINVAL;
             goto out;
@@ -534,6 +534,8 @@ int set_px_pminfo(uint32_t acpi_id, struct 
xen_processor_performance *perf)
         }
         if ( copy_from_guest(pxpt->states, perf->states, perf->state_count) )
         {
+            xfree(pxpt->states);
+            pxpt->states = NULL;
             ret = -EFAULT;
             goto out;
         }
-- 
2.49.0