| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <83da61dcafc88c9c89f336d7387ecd9aa2857ab7.camel@intel.com>
Date: Fri, 28 Oct 2022 02:21:49 +0000
From: "Huang, Kai" <kai.huang@...el.com>
To: "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"ak@...ux.intel.com" <ak@...ux.intel.com>
CC: "Hansen, Dave" <dave.hansen@...el.com>,
"Luck, Tony" <tony.luck@...el.com>,
"bagasdotme@...il.com" <bagasdotme@...il.com>,
"Wysocki, Rafael J" <rafael.j.wysocki@...el.com>,
"kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>,
"Christopherson,, Sean" <seanjc@...gle.com>,
"Chatre, Reinette" <reinette.chatre@...el.com>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"Yamahata, Isaku" <isaku.yamahata@...el.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"Shahar, Sagi" <sagis@...gle.com>,
"imammedo@...hat.com" <imammedo@...hat.com>,
"Gao, Chao" <chao.gao@...el.com>,
"Brown, Len" <len.brown@...el.com>,
"sathyanarayanan.kuppuswamy@...ux.intel.com"
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
"Williams, Dan J" <dan.j.williams@...el.com>
Subject: Re: [PATCH v6 12/21] x86/virt/tdx: Add placeholder to construct TDMRs
to cover all TDX memory regions
On Thu, 2022-10-27 at 08:31 -0700, Andi Kleen wrote:
> > +/* Calculate the actual TDMR_INFO size */
> > +static inline int cal_tdmr_size(void)
> > +{
> > + int tdmr_sz;
> > +
> > + /*
> > + * The actual size of TDMR_INFO depends on the maximum number
> > + * of reserved areas.
> > + */
> > + tdmr_sz = sizeof(struct tdmr_info);
> > + tdmr_sz += sizeof(struct tdmr_reserved_area) *
> > + tdx_sysinfo.max_reserved_per_tdmr;
>
>
> would seem safer to have a overflow check here.
>
>
How about below?
--- a/arch/x86/virt/vmx/tdx/tdx.c
+++ b/arch/x86/virt/vmx/tdx/tdx.c
@@ -614,6 +614,14 @@ static inline int cal_tdmr_size(void)
tdmr_sz += sizeof(struct tdmr_reserved_area) *
tdx_sysinfo.max_reserved_per_tdmr;
+ /*
+ * Do simple check against overflow, and return 0 (invalid)
+ * TDMR_INFO size if it happened. Also WARN() as it should
+ * should never happen in reality.
+ */
+ if (WARN_ON_ONCE(tdmr_sz < 0))
+ return 0;
+
/*
* TDX requires each TDMR_INFO to be 512-byte aligned. Always
* round up TDMR_INFO size to the 512-byte boundary.
@@ -623,19 +631,27 @@ static inline int cal_tdmr_size(void)
static struct tdmr_info *alloc_tdmr_array(int *array_sz)
{
+ int sz;
+
/*
* TDX requires each TDMR_INFO to be 512-byte aligned.
* Use alloc_pages_exact() to allocate all TDMRs at once.
* Each TDMR_INFO will still be 512-byte aligned since
* cal_tdmr_size() always return 512-byte aligned size.
*/
- *array_sz = cal_tdmr_size() * tdx_sysinfo.max_tdmrs;
+ sz = cal_tdmr_size() * tdx_sysinfo.max_tdmrs;
+
+ /* Overflow */
+ if (!sz || WARN_ON_ONCE(sz < 0))
+ return NULL;
+
+ *array_sz = sz;
/*
* Zero the buffer so 'struct tdmr_info::size' can be
* used to determine whether a TDMR is valid.
*/
- return alloc_pages_exact(*array_sz, GFP_KERNEL | __GFP_ZERO);
+ return alloc_pages_exact(sz, GFP_KERNEL | __GFP_ZERO);
}
Btw, should I use alloc_contig_pages() instead of alloc_pages_exact() as IIUC
the latter should fail if the size is larger than 4MB? In reality, the entire
array only takes dozens of KBs, though.
Powered by blists - more mailing lists