lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2b5499db-7752-7919-5e12-25475fe6372f@amd.com>
Date:   Mon, 30 Oct 2017 11:33:54 -0500
From:   Brijesh Singh <brijesh.singh@....com>
To:     Borislav Petkov <bp@...en8.de>
Cc:     brijesh.singh@....com, kvm@...r.kernel.org,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Radim Krčmář <rkrcmar@...hat.com>,
        Joerg Roedel <joro@...tes.org>,
        Tom Lendacky <thomas.lendacky@....com>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [Part2 PATCH v6 32/38] KVM: SVM: Add support for SEV
 DEBUG_DECRYPT command



On 10/30/17 10:12 AM, Borislav Petkov wrote:
...
> Lemme see:
>
> sev_dbg_crypt() does
>
>                 ret = __sev_dbg_decrypt(kvm,
>                                        __sme_page_pa(src_p[0]) + s_off,
>                                        dst_vaddr, 0,
>                                        __sme_page_pa(dst_p[0]) + d_off,
>                                        len, &argp->error);
>
> and that 4th argument is 0. IINM, that's dst_kaddr and you're doing
>
> 	memcpy((void *)dst_kaddr, page_address(tpage) + offset, size);
> 		^^^^^^^^^^^^^^^^

The 3rd argument 'dst_uaddr' should always contain a valid value and 4th
argument should not be used. The else statement should not be used
during DBG_DECRYPT command.

                 /*
                  * If destination buffer is a userspace buffer then use
                  * copy_to_user otherwise memcpy.
                  */
                 if (dst_uaddr) {
                         if (copy_to_user((void __user
*)(uintptr_t)dst_uaddr,
                                          page_address(tpage) + offset,
size))
                                 ret = -EFAULT;
                 } else {
                         memcpy((void *)dst_kaddr, page_address(tpage) +
offset, size);
                 }


Here is sequence

sev_dbg_crypt() does:

      dst_vaddr = params.dst_uaddr;
      .......
      for(...) {
            dst_p = sev_pin_memory(..., dst_vaddr ...)
            if (!dst_p) {
                    return -EFAULT;
             }

           

	ret = __sev_dbg_decrypt(kvm,
                                __sme_page_pa(src_p[0]) + s_off,
                                dst_vaddr, 0,
                                __sme_page_pa(dst_p[0]) + d_off,
                                len, &argp->error);

....


The 3rd argument will be zero when we are handling the  DBG_ENCRYPT 
with length not aligned to 16-byte boundary.  In that case we allocate a
intermediate buffer (dst_kaddr). I will try with gcc7 and  look into
restructure code to fix the compiler warning.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ