| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b55f2ab4-da7c-5fed-adab-ceca54282ddb@amd.com> Date: Mon, 8 Sep 2025 16:35:58 -0500 From: Tom Lendacky <thomas.lendacky@....com> To: Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com> Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org, Michael Roth <michael.roth@....com> Subject: Re: [PATCH] KVM: SEV: Reject non-positive effective lengths during LAUNCH_UPDATE On 8/26/25 18:37, Sean Christopherson wrote: > Check for an invalid length during LAUNCH_UPDATE at the start of > snp_launch_update() instead of subtly relying on kvm_gmem_populate() to > detect the bad state. Code that directly handles userspace input > absolutely should sanitize those inputs; failure to do so is asking for > bugs where KVM consumes an invalid "npages". > > Keep the check in gmem, but wrap it in a WARN to flag any bad usage by > the caller. > > Note, this is technically an ABI change as KVM would previously allow a > length of '0'. But allowing a length of '0' is nonsensical and creates > pointless conundrums in KVM. E.g. an empty range is arguably neither > private nor shared, but LAUNCH_UPDATE will fail if the starting gpa can't > be made private. In practice, no known or well-behaved VMM passes a > length of '0'. > > Cc: Thomas Lendacky <thomas.lendacky@....com> > Cc: Michael Roth <michael.roth@....com> > Signed-off-by: Sean Christopherson <seanjc@...gle.com> > --- > > Compile tested only. Came across this when trying to figure out how to > handle the batching of gmem post-populate calls. > > arch/x86/kvm/svm/sev.c | 2 ++ > virt/kvm/guest_memfd.c | 3 ++- > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c > index f4381878a9e5..746a57bf1f71 100644 > --- a/arch/x86/kvm/svm/sev.c > +++ b/arch/x86/kvm/svm/sev.c > @@ -2360,6 +2360,8 @@ static int snp_launch_update(struct kvm *kvm, struct kvm_sev_cmd *argp) > return -EINVAL; > > npages = params.len / PAGE_SIZE; > + if (npages <= 0) > + return -EINVAL; Would it make sense to include a !params.len in the giant if check just above this, e.g.: if (!params.len || !PAGE_ALIGNED(params.len) || ... ? That way everything related to checking "params" remains in the one statement. Thanks, Tom > > /* > * For each GFN that's being prepared as part of the initial guest > diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c > index 7d85cc33c0bb..79552467add5 100644 > --- a/virt/kvm/guest_memfd.c > +++ b/virt/kvm/guest_memfd.c > @@ -639,7 +639,8 @@ long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src, long > long i; > > lockdep_assert_held(&kvm->slots_lock); > - if (npages < 0) > + > + if (WARN_ON_ONCE(npages <= 0)) > return -EINVAL; > > slot = gfn_to_memslot(kvm, start_gfn); > > base-commit: ecbcc2461839e848970468b44db32282e5059925
Powered by blists - more mailing lists