lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <87plbkxcvv.wl-maz@kernel.org>
Date: Sun, 21 Sep 2025 12:29:08 +0100
From: Marc Zyngier <maz@...nel.org>
To: Vincent Donnefort <vdonnefort@...gle.com>
Cc: oliver.upton@...ux.dev,
	joey.gouly@....com,
	suzuki.poulose@....com,
	yuzenghui@...wei.com,
	catalin.marinas@....com,
	will@...nel.org,
	qperret@...gle.com,
	sebastianene@...gle.com,
	keirf@...gle.com,
	linux-arm-kernel@...ts.infradead.org,
	kvmarm@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	kernel-team@...roid.com
Subject: Re: [PATCH v2] KVM: arm64: Check range args for pKVM mem transitions

On Fri, 19 Sep 2025 16:50:56 +0100,
Vincent Donnefort <vdonnefort@...gle.com> wrote:
> 
> There's currently no verification for host issued ranges in most of the
> pKVM memory transitions. The subsequent end boundary might therefore be
> subject to overflow and could evade the later checks.
> 
> Close this loophole with an additional check_range_args() check on a per
> public function basis.
> 
> host_unshare_guest transition is already protected via
> __check_host_shared_guest(), while assert_host_shared_guest() callers
> are already ignoring host checks.
> 
> Signed-off-by: Vincent Donnefort <vdonnefort@...gle.com>
> 
> ---
> 
>  v1 -> v2:
>    - Also check for (nr_pages * PAGE_SIZE) overflow. (Quentin)
>    - Rename to check_range_args().
> 
> diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> index 8957734d6183..65fcd2148f59 100644
> --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> @@ -712,6 +712,14 @@ static int __guest_check_page_state_range(struct pkvm_hyp_vm *vm, u64 addr,
>  	return check_page_state_range(&vm->pgt, addr, size, &d);
>  }
>  
> +static bool check_range_args(u64 start, u64 nr_pages, u64 *size)
> +{
> +	if (check_mul_overflow(nr_pages, PAGE_SIZE, size))
> +		return false;
> +
> +	return start < (start + *size);

I will echo Oliver's concern on v1: you probably want to convert the
boundary check to be inclusive of the end of the range. Otherwise, a
range that ends at the top of the 64bit range will be represented as
0, and fail the  check despite being perfectly valid.

That's not a problem for PAs, as we will be stuck with at most 56bit
PAs for quite a while, but VAs are a different story, and this sort of
range check should be valid for VAs as well.

Thanks,

	M.

-- 
Jazz isn't dead. It just smells funny.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ