| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Apr 2021 11:07:59 +0200
From: Borislav Petkov <bp@...en8.de>
To: Kai Huang <kai.huang@...el.com>
Cc: kvm@...r.kernel.org, linux-sgx@...r.kernel.org, x86@...nel.org,
linux-kernel@...r.kernel.org, seanjc@...gle.com, jarkko@...nel.org,
luto@...nel.org, dave.hansen@...el.com, rick.p.edgecombe@...el.com,
haitao.huang@...el.com, pbonzini@...hat.com, tglx@...utronix.de,
mingo@...hat.com, hpa@...or.com
Subject: Re: [PATCH v3 13/25] x86/sgx: Add helpers to expose ECREATE and
EINIT to KVM
On Fri, Mar 19, 2021 at 08:23:08PM +1300, Kai Huang wrote:
> + /*
> + * @secs is an untrusted, userspace-provided address. It comes from
> + * KVM and is assumed to be a valid pointer which points somewhere in
> + * userspace. This can fault and call SGX or other fault handlers when
> + * userspace mapping @secs doesn't exist.
> + *
> + * Add a WARN() to make sure @secs is already valid userspace pointer
> + * from caller (KVM), who should already have handled invalid pointer
> + * case (for instance, made by malicious guest). All other checks,
> + * such as alignment of @secs, are deferred to ENCLS itself.
> + */
> + WARN_ON_ONCE(!access_ok(secs, PAGE_SIZE));
So why do we continue here then? IOW:
diff --git a/arch/x86/kernel/cpu/sgx/virt.c b/arch/x86/kernel/cpu/sgx/virt.c
index fdfc21263a95..497b06fc6f7f 100644
--- a/arch/x86/kernel/cpu/sgx/virt.c
+++ b/arch/x86/kernel/cpu/sgx/virt.c
@@ -270,7 +270,7 @@ int __init sgx_vepc_init(void)
*
* Return:
* - 0: ECREATE was successful.
- * - -EFAULT: ECREATE returned error.
+ * - <0: ECREATE returned error.
*/
int sgx_virt_ecreate(struct sgx_pageinfo *pageinfo, void __user *secs,
int *trapnr)
@@ -288,7 +288,9 @@ int sgx_virt_ecreate(struct sgx_pageinfo *pageinfo, void __user *secs,
* case (for instance, made by malicious guest). All other checks,
* such as alignment of @secs, are deferred to ENCLS itself.
*/
- WARN_ON_ONCE(!access_ok(secs, PAGE_SIZE));
+ if (WARN_ON_ONCE(!access_ok(secs, PAGE_SIZE)))
+ return -EINVAL;
+
__uaccess_begin();
ret = __ecreate(pageinfo, (void *)secs);
__uaccess_end();
> + __uaccess_begin();
> + ret = __ecreate(pageinfo, (void *)secs);
> + __uaccess_end();
> +
> + if (encls_faulted(ret)) {
> + *trapnr = ENCLS_TRAPNR(ret);
> + return -EFAULT;
> + }
> +
> + /* ECREATE doesn't return an error code, it faults or succeeds. */
> + WARN_ON_ONCE(ret);
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(sgx_virt_ecreate);
> +
> +static int __sgx_virt_einit(void __user *sigstruct, void __user *token,
> + void __user *secs)
> +{
> + int ret;
> +
> + /*
> + * Make sure all userspace pointers from caller (KVM) are valid.
> + * All other checks deferred to ENCLS itself. Also see comment
> + * for @secs in sgx_virt_ecreate().
> + */
> +#define SGX_EINITTOKEN_SIZE 304
> + WARN_ON_ONCE(!access_ok(sigstruct, sizeof(struct sgx_sigstruct)) ||
> + !access_ok(token, SGX_EINITTOKEN_SIZE) ||
> + !access_ok(secs, PAGE_SIZE));
Ditto.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
Powered by blists - more mailing lists