[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <cd13ba15-b1a9-0475-96a8-5500015d8510@amd.com>
Date: Tue, 7 Feb 2023 12:39:44 -0600
From: Tom Lendacky <thomas.lendacky@....com>
To: Peter Gonda <pgonda@...gle.com>, kvm@...r.kernel.org
Cc: Andy Nguyen <theflow@...gle.com>,
David Rientjes <rientjes@...gle.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Sean Christopherson <seanjc@...gle.com>,
stable@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH V2] KVM: sev: Fix potential overflow
send|recieve_update_data
On 2/7/23 11:13, Peter Gonda wrote:
> KVM_SEV_SEND_UPDATE_DATA and KVM_SEV_RECEIVE_UPDATE_DATA have an integer
> overflow issue. Params.guest_len and offset are both 32bite wide, with a
> large params.guest_len the check to confirm a page boundary is not
> crossed can falsely pass:
>
> /* Check if we are crossing the page boundary *
> offset = params.guest_uaddr & (PAGE_SIZE - 1);
> if ((params.guest_len + offset > PAGE_SIZE))
>
> Add an additional check to this conditional to confirm that
> params.guest_len itself is not greater than PAGE_SIZE.
>
> The current code is can only overflow with a params.guest_len of greater
> than 0xfffff000. And the FW spec says these commands fail with lengths
> greater than 16KB. So this issue should not be a security concern
>
> Fixes: 15fb7de1a7f5 ("KVM: SVM: Add KVM_SEV_RECEIVE_UPDATE_DATA command")
> Fixes: d3d1af85e2c7 ("KVM: SVM: Add KVM_SEND_UPDATE_DATA command")
> Reported-by: Andy Nguyen <theflow@...gle.com>
> Suggested-by: Thomas Lendacky <thomas.lendacky@....com>
> Signed-off-by: Peter Gonda <pgonda@...gle.com>
> Cc: David Rientjes <rientjes@...gle.com>
> Cc: Paolo Bonzini <pbonzini@...hat.com>
> Cc: Sean Christopherson <seanjc@...gle.com>
> Cc: kvm@...r.kernel.org
> Cc: stable@...r.kernel.org
> Cc: linux-kernel@...r.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@....com>
> ---
>
> V2
> * Updated conditional based on feedback from Tom.
>
> ---
> arch/x86/kvm/svm/sev.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> index 273cba809328..3d74facaead8 100644
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -1294,7 +1294,7 @@ static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
>
> /* Check if we are crossing the page boundary */
> offset = params.guest_uaddr & (PAGE_SIZE - 1);
> - if ((params.guest_len + offset > PAGE_SIZE))
> + if (params.guest_len > PAGE_SIZE || (params.guest_len + offset) > PAGE_SIZE)
> return -EINVAL;
>
> /* Pin guest memory */
> @@ -1474,7 +1474,7 @@ static int sev_receive_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
>
> /* Check if we are crossing the page boundary */
> offset = params.guest_uaddr & (PAGE_SIZE - 1);
> - if ((params.guest_len + offset > PAGE_SIZE))
> + if (params.guest_len > PAGE_SIZE || (params.guest_len + offset) > PAGE_SIZE)
> return -EINVAL;
>
> hdr = psp_copy_user_blob(params.hdr_uaddr, params.hdr_len);
Powered by blists - more mailing lists