| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <51219031-935d-8da4-7d8f-80073a79f794@amd.com>
Date: Fri, 13 May 2022 18:11:15 +0000
From: Ashish Kalra <ashkalra@....com>
To: Sean Christopherson <seanjc@...gle.com>,
Peter Gonda <pgonda@...gle.com>
Cc: Ashish Kalra <Ashish.Kalra@....com>,
Paolo Bonzini <pbonzini@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, Joerg Roedel <joro@...tes.org>,
"Lendacky, Thomas" <Thomas.Lendacky@....com>,
Borislav Petkov <bp@...en8.de>,
the arch/x86 maintainers <x86@...nel.org>,
kvm list <kvm@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Andy Nguyen <theflow@...gle.com>,
David Rientjes <rientjes@...gle.com>,
John Allen <john.allen@....com>
Subject: Re: [PATCH] KVM: SVM: Use kzalloc for sev ioctl interfaces to prevent
kernel memory leak.
Hello Sean & Peter,
On 5/13/22 14:49, Sean Christopherson wrote:
> On Fri, May 13, 2022, Peter Gonda wrote:
>> On Thu, May 12, 2022 at 4:23 PM Ashish Kalra <Ashish.Kalra@....com> wrote:
>>> From: Ashish Kalra <ashish.kalra@....com>
>>>
>>> For some sev ioctl interfaces, the length parameter that is passed maybe
>>> less than or equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data
>>> that PSP firmware returns. In this case, kmalloc will allocate memory
>>> that is the size of the input rather than the size of the data.
>>> Since PSP firmware doesn't fully overwrite the allocated buffer, these
>>> sev ioctl interface may return uninitialized kernel slab memory.
>>>
>>> Reported-by: Andy Nguyen <theflow@...gle.com>
>>> Suggested-by: David Rientjes <rientjes@...gle.com>
>>> Suggested-by: Peter Gonda <pgonda@...gle.com>
>>> Cc: kvm@...r.kernel.org
>>> Cc: linux-kernel@...r.kernel.org
>>> Signed-off-by: Ashish Kalra <ashish.kalra@....com>
>>> ---
>>> arch/x86/kvm/svm/sev.c | 6 +++---
>>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>> Can we just update all the kmalloc()s that buffers get given to the
>> PSP? For instance doesn't sev_send_update_data() have an issue?
>> Reading the PSP spec it seems like a user can call this ioctl with a
>> large hdr_len and the PSP will only fill out what's actually required
>> like in these fixed up cases? This is assuming the PSP is written to
>> spec (and just the current version). I'd rather have all of these
>> instances updated.
Yes, this function is also vulnerable as it allocates the return buffer
using kmalloc() and copies back to user the buffer sized as per the user
provided length (and not the FW returned length), so it surely needs fixup.
I will update all these instances to use kzalloc() instead of kmalloc().
> Agreed, the kernel should explicitly initialize any copy_to_user() to source and
> never rely on the PSP to fill the entire blob unless there's an ironclad guarantee
> the entire struct/blob will be written. E.g. it's probably ok to skip zeroing
> "data" in sev_ioctl_do_platform_status(), but even then it might be wortwhile as
> defense-in-depth.
>
> Looking through other copy_to_user() calls:
>
> - "blob" in sev_ioctl_do_pek_csr()
> - "id_blob" in sev_ioctl_do_get_id2()
> - "pdh_blob" and "cert_blob" in sev_ioctl_do_pdh_export()
These functions are part of the ccp driver and a fix for them has
already been sent upstream to linux-crypto@...r.kernel.org and
linux-kernel@...r.kernel.org:
[PATCH] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent
kernel memory leak
Thanks,
Ashish
>
> The last one is probably fine since the copy length comes from the PSP, but it's
> not like these ioctls are performance critical...
>
> /* If we query the length, FW responded with expected data. */
> input.cert_chain_len = data.cert_chain_len;
> input.pdh_cert_len = data.pdh_cert_len;
Powered by blists - more mailing lists