| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Nov 2022 15:12:59 -0600
From: Tom Lendacky <thomas.lendacky@....com>
To: Dionna Glaze <dionnaglaze@...gle.com>,
linux-kernel@...r.kernel.org, x86@...nel.org
Cc: Paolo Bonzini <pbonzini@...hat.com>,
Joerg Roedel <jroedel@...e.de>,
Peter Gonda <pgonda@...gle.com>,
Thomas Gleixner <tglx@...utronix.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Borislav Petkov <bp@...e.de>, Haowen Bai <baihaowen@...zu.com>,
Liam Merwick <liam.merwick@...cle.com>,
Yang Yingliang <yangyingliang@...wei.com>
Subject: Re: [PATCH v8 3/4] virt: sev-guest: Remove err in
handle_guest_request
On 11/4/22 18:00, Dionna Glaze wrote:
> The err variable may not be set in the call to snp_issue_guest_request,
> yet it is unconditionally written back to fw_err if fw_err is non-null.
> This is undefined behavior, and currently returns uninitialized kernel
> stack memory to user space.
>
> The fw_err argument is better to just pass through to
> snp_issue_guest_request, so we do that by passing along the ioctl
> argument. This removes the need for an argument to handle_guest_request.
>
> Cc: Tom Lendacky <Thomas.Lendacky@....com>
> Cc: Paolo Bonzini <pbonzini@...hat.com>
> Cc: Joerg Roedel <jroedel@...e.de>
> Cc: Peter Gonda <pgonda@...gle.com>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: Dave Hansen <dave.hansen@...ux.intel.com>
> Cc: Borislav Petkov <bp@...e.de>
> Cc: Haowen Bai <baihaowen@...zu.com>
> Cc: Liam Merwick <liam.merwick@...cle.com>
> Cc: Yang Yingliang <yangyingliang@...wei.com>
>
> Fixes: fce96cf04430 ("virt: Add SEV-SNP guest driver")
> Signed-off-by: Dionna Glaze <dionnaglaze@...gle.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@....com>
> ---
> drivers/virt/coco/sev-guest/sev-guest.c | 37 ++++++++++++-------------
> 1 file changed, 18 insertions(+), 19 deletions(-)
>
> diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c
> index d08ff87c2dac..5615d349b378 100644
> --- a/drivers/virt/coco/sev-guest/sev-guest.c
> +++ b/drivers/virt/coco/sev-guest/sev-guest.c
> @@ -320,11 +320,11 @@ static int enc_payload(struct snp_guest_dev *snp_dev, u64 seqno, int version, u8
> return __enc_payload(snp_dev, req, payload, sz);
> }
>
> -static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, int msg_ver,
> +static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code,
> + struct snp_guest_request_ioctl *arg,
> u8 type, void *req_buf, size_t req_sz, void *resp_buf,
> - u32 resp_sz, __u64 *fw_err)
> + u32 resp_sz)
> {
> - unsigned long err;
> u64 seqno;
> int rc;
>
> @@ -336,12 +336,14 @@ static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, in
> memset(snp_dev->response, 0, sizeof(struct snp_guest_msg));
>
> /* Encrypt the userspace provided payload */
> - rc = enc_payload(snp_dev, seqno, msg_ver, type, req_buf, req_sz);
> + rc = enc_payload(snp_dev, seqno, arg->msg_version, type, req_buf,
> + req_sz);
> if (rc)
> return rc;
>
> /* Call firmware to process the request */
> - rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err);
> + rc = snp_issue_guest_request(exit_code, &snp_dev->input,
> + &arg->fw_err);
>
> /*
> * If the extended guest request fails due to having to small of a
> @@ -349,23 +351,21 @@ static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, in
> * extended data request.
> */
> if (exit_code == SVM_VMGEXIT_EXT_GUEST_REQUEST &&
> - err == SNP_GUEST_REQ_INVALID_LEN) {
> + arg->fw_err == SNP_GUEST_REQ_INVALID_LEN) {
> const unsigned int certs_npages = snp_dev->input.data_npages;
>
> exit_code = SVM_VMGEXIT_GUEST_REQUEST;
> - rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err);
> + rc = snp_issue_guest_request(exit_code, &snp_dev->input,
> + &arg->fw_err);
>
> - err = SNP_GUEST_REQ_INVALID_LEN;
> + arg->fw_err = SNP_GUEST_REQ_INVALID_LEN;
> snp_dev->input.data_npages = certs_npages;
> }
>
> - if (fw_err)
> - *fw_err = err;
> -
> if (rc) {
> dev_alert(snp_dev->dev,
> "Detected error from ASP request. rc: %d, fw_err: %llu\n",
> - rc, *fw_err);
> + rc, arg->fw_err);
> goto disable_vmpck;
> }
>
> @@ -412,9 +412,9 @@ static int get_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_io
> if (!resp)
> return -ENOMEM;
>
> - rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg->msg_version,
> + rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg,
> SNP_MSG_REPORT_REQ, &req, sizeof(req), resp->data,
> - resp_len, &arg->fw_err);
> + resp_len);
> if (rc)
> goto e_free;
>
> @@ -452,9 +452,8 @@ static int get_derived_key(struct snp_guest_dev *snp_dev, struct snp_guest_reque
> if (copy_from_user(&req, (void __user *)arg->req_data, sizeof(req)))
> return -EFAULT;
>
> - rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg->msg_version,
> - SNP_MSG_KEY_REQ, &req, sizeof(req), buf, resp_len,
> - &arg->fw_err);
> + rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg,
> + SNP_MSG_KEY_REQ, &req, sizeof(req), buf, resp_len);
> if (rc)
> return rc;
>
> @@ -514,9 +513,9 @@ static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_reques
> return -ENOMEM;
>
> snp_dev->input.data_npages = npages;
> - ret = handle_guest_request(snp_dev, SVM_VMGEXIT_EXT_GUEST_REQUEST, arg->msg_version,
> + ret = handle_guest_request(snp_dev, SVM_VMGEXIT_EXT_GUEST_REQUEST, arg,
> SNP_MSG_REPORT_REQ, &req.data,
> - sizeof(req.data), resp->data, resp_len, &arg->fw_err);
> + sizeof(req.data), resp->data, resp_len);
>
> /* If certs length is invalid then copy the returned length */
> if (arg->fw_err == SNP_GUEST_REQ_INVALID_LEN) {
Powered by blists - more mailing lists