| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <63b7c94b-3d37-42c7-bbfb-8547d46f3b1b@amd.com>
Date: Sat, 20 Sep 2025 12:21:18 -0500
From: Tom Lendacky <thomas.lendacky@....com>
To: Sean Christopherson <seanjc@...gle.com>,
Paolo Bonzini <pbonzini@...hat.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
Michael Roth <michael.roth@....com>
Subject: Re: [PATCH v2] KVM: SEV: Reject non-positive effective lengths during
LAUNCH_UPDATE
On 9/19/25 16:16, Sean Christopherson wrote:
> Check for an invalid length during LAUNCH_UPDATE at the start of
> snp_launch_update() instead of subtly relying on kvm_gmem_populate() to
> detect the bad state. Code that directly handles userspace input
> absolutely should sanitize those inputs; failure to do so is asking for
> bugs where KVM consumes an invalid "npages".
>
> Keep the check in gmem, but wrap it in a WARN to flag any bad usage by
> the caller.
>
> Note, this is technically an ABI change as KVM would previously allow a
> length of '0'. But allowing a length of '0' is nonsensical and creates
> pointless conundrums in KVM. E.g. an empty range is arguably neither
> private nor shared, but LAUNCH_UPDATE will fail if the starting gpa can't
> be made private. In practice, no known or well-behaved VMM passes a
> length of '0'.
>
> Note #2, the PAGE_ALIGNED(params.len) check ensures that lengths between
> 1 and 4095 (inclusive) are also rejected, i.e. that KVM won't end up with
> npages=0 when doing "npages = params.len / PAGE_SIZE".
>
> Cc: Thomas Lendacky <thomas.lendacky@....com>
> Cc: Michael Roth <michael.roth@....com>
> Signed-off-by: Sean Christopherson <seanjc@...gle.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@....com>
> ---
>
> v2: Check params.len right away. [Tom]
>
> v1: https://lore.kernel.org/all/20250826233734.4011090-1-seanjc@google.com
>
> arch/x86/kvm/svm/sev.c | 2 +-
> virt/kvm/guest_memfd.c | 3 ++-
> 2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> index cce48fff2e6c..31b3e128e521 100644
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -2370,7 +2370,7 @@ static int snp_launch_update(struct kvm *kvm, struct kvm_sev_cmd *argp)
> pr_debug("%s: GFN start 0x%llx length 0x%llx type %d flags %d\n", __func__,
> params.gfn_start, params.len, params.type, params.flags);
>
> - if (!PAGE_ALIGNED(params.len) || params.flags ||
> + if (!params.len || !PAGE_ALIGNED(params.len) || params.flags ||
> (params.type != KVM_SEV_SNP_PAGE_TYPE_NORMAL &&
> params.type != KVM_SEV_SNP_PAGE_TYPE_ZERO &&
> params.type != KVM_SEV_SNP_PAGE_TYPE_UNMEASURED &&
> diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
> index 08a6bc7d25b6..1d323ca178cb 100644
> --- a/virt/kvm/guest_memfd.c
> +++ b/virt/kvm/guest_memfd.c
> @@ -716,7 +716,8 @@ long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src, long
> long i;
>
> lockdep_assert_held(&kvm->slots_lock);
> - if (npages < 0)
> +
> + if (WARN_ON_ONCE(npages <= 0))
> return -EINVAL;
>
> slot = gfn_to_memslot(kvm, start_gfn);
>
> base-commit: c8fbf7ceb2ae3f64b0c377c8c21f6df577a13eb4
Powered by blists - more mailing lists