lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMkAt6qj-iHzk+FqCGh5z4EZHB9BzOfqES8RmjgYXs3CSg3CXQ@mail.gmail.com>
Date:   Wed, 12 Oct 2022 17:31:19 -0600
From:   Peter Gonda <pgonda@...gle.com>
To:     Dionna Glaze <dionnaglaze@...gle.com>
Cc:     x86@...nel.org, linux-kernel@...r.kernel.org,
        Tom Lendacky <Thomas.Lendacky@....com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Joerg Roedel <jroedel@...e.de>,
        Thomas Gleixner <tglx@...utronix.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>
Subject: Re: [PATCH] virt/coco/sev-guest: Initialize err in handle_guest_request

On Tue, Oct 11, 2022 at 6:23 PM Dionna Glaze <dionnaglaze@...gle.com> wrote:
>
> The err variable may not be set in the call to snp_issue_guest_request,
> yet it is unconditionally written back to fw_err if fw_err is non-null.
> This is undefined behavior, and currently returns uninitialized kernel
> stack memory to user space.

Should this be fixed in: snp_issue_guest_request()? Since other
callers might make similar mistakes.

And currently we have:

static long snp_guest_ioctl(...)
{
..
  input.fw_err = 0xff;
..
}

Which I think is an attempt to make fw_err make sense if the FW is
never called, should we try to maintain that property?

>
> Cc: Tom Lendacky <Thomas.Lendacky@....com>
> Cc: Paolo Bonzini <pbonzini@...hat.com>
> Cc: Joerg Roedel <jroedel@...e.de>
> Cc: Peter Gonda <pgonda@...gle.com>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: Dave Hansen <dave.hansen@...ux.intel.com>
>
> Signed-off-by: Dionna Glaze <dionnaglaze@...gle.com>
> ---
>  drivers/virt/coco/sevguest/sevguest.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/virt/coco/sevguest/sevguest.c b/drivers/virt/coco/sevguest/sevguest.c
> index 112c0458cbda..7a62bfc063fc 100644
> --- a/drivers/virt/coco/sevguest/sevguest.c
> +++ b/drivers/virt/coco/sevguest/sevguest.c
> @@ -307,7 +307,7 @@ static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, in
>                                 u8 type, void *req_buf, size_t req_sz, void *resp_buf,
>                                 u32 resp_sz, __u64 *fw_err)
>  {
> -       unsigned long err;
> +       unsigned long err = 0;
>         u64 seqno;
>         int rc;
>
> --
> 2.38.0.rc1.362.ged0d419d3c-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ