[PATCH] powerpc/pseries/energy: validate H_BEST_ENERGY list counts

[Pengpeng Hou]

get_best_energy_list() reads a one-page u32 array from H_BEST_ENERGY and
trusts retbuf[0] as the number of entry pairs stored there. Counts above
the number of pairs that fit in one page make the loop walk past the page
through buf_page[2 * i + 1].

Reject impossible entry counts before indexing the returned buffer.

Signed-off-by: Pengpeng Hou <pengpeng at iscas.ac.cn>
---
 arch/powerpc/platforms/pseries/pseries_energy.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/powerpc/platforms/pseries/pseries_energy.c b/arch/powerpc/platforms/pseries/pseries_energy.c
index 2c661b798235..575216989539 100644
--- a/arch/powerpc/platforms/pseries/pseries_energy.c
+++ b/arch/powerpc/platforms/pseries/pseries_energy.c
@@ -184,6 +184,7 @@ static int drc_index_to_cpu(u32 drc_index)
 #define FLAGS_MODE1	0x004E200000080E01UL
 #define FLAGS_MODE2	0x004E200000080401UL
 #define FLAGS_ACTIVATE  0x100
+#define BEST_ENERGY_LIST_MAX_ENTRIES	(PAGE_SIZE / (sizeof(u32) * 2))
 
 static ssize_t get_best_energy_list(char *page, int activate)
 {
@@ -208,6 +209,11 @@ static ssize_t get_best_energy_list(char *page, int activate)
 		return -EINVAL;
 	}
 
+	if (retbuf[0] > BEST_ENERGY_LIST_MAX_ENTRIES) {
+		free_page((unsigned long)buf_page);
+		return -EINVAL;
+	}
+
 	cnt = retbuf[0];
 	for (i = 0; i < cnt; i++) {
 		cpu = drc_index_to_cpu(buf_page[2*i+1]);
-- 
2.50.1 (Apple Git-155)