KVM_SEV_SEND_UPDATE_DATA and KVM_SEV_RECEIVE_UPDATE_DATA have an integer
overflow issue. Params.guest_len and offset are both 32bite wide, with a
large params.guest_len the check to confirm a page boundary is not
crossed can falsely pass:
/* Check if we are crossing the page boundary *
offset = params.guest_uaddr & (PAGE_SIZE - 1);
if ((params.guest_len + offset > PAGE_SIZE))
Add an additional check to this conditional to confirm that
params.guest_len itself is not greater than PAGE_SIZE.
The current code is can only overflow with a params.guest_len of greater
than 0xfffff000. And the FW spec says these commands fail with lengths
greater than 16KB. So this issue should not be a security concern
Fixes: 15fb7de1a7f5 ("KVM: SVM: Add KVM_SEV_RECEIVE_UPDATE_DATA command")
Fixes: d3d1af85e2c7 ("KVM: SVM: Add KVM_SEND_UPDATE_DATA command")
Reported-by: Andy Nguyen <[email protected]>
Suggested-by: Thomas Lendacky <[email protected]>
Signed-off-by: Peter Gonda <[email protected]>
Cc: David Rientjes <[email protected]>
Cc: Paolo Bonzini <[email protected]>
Cc: Sean Christopherson <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
---
arch/x86/kvm/svm/sev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 273cba809328..9451de72f917 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -1294,7 +1294,7 @@ static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
/* Check if we are crossing the page boundary */
offset = params.guest_uaddr & (PAGE_SIZE - 1);
- if ((params.guest_len + offset > PAGE_SIZE))
+ if (params.guest_len > PAGE_SIZE || (params.guest_len + offset > PAGE_SIZE))
return -EINVAL;
/* Pin guest memory */
@@ -1474,7 +1474,7 @@ static int sev_receive_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
/* Check if we are crossing the page boundary */
offset = params.guest_uaddr & (PAGE_SIZE - 1);
- if ((params.guest_len + offset > PAGE_SIZE))
+ if (params.guest_len > PAGE_SIZE || (params.guest_len + offset > PAGE_SIZE))
return -EINVAL;
hdr = psp_copy_user_blob(params.hdr_uaddr, params.hdr_len);
--
2.39.0.314.g84b9a713c41-goog
On 1/9/23 10:08, Peter Gonda wrote:
> KVM_SEV_SEND_UPDATE_DATA and KVM_SEV_RECEIVE_UPDATE_DATA have an integer
> overflow issue. Params.guest_len and offset are both 32bite wide, with a
> large params.guest_len the check to confirm a page boundary is not
> crossed can falsely pass:
>
> /* Check if we are crossing the page boundary *
> offset = params.guest_uaddr & (PAGE_SIZE - 1);
> if ((params.guest_len + offset > PAGE_SIZE))
>
> Add an additional check to this conditional to confirm that
> params.guest_len itself is not greater than PAGE_SIZE.
>
> The current code is can only overflow with a params.guest_len of greater
> than 0xfffff000. And the FW spec says these commands fail with lengths
> greater than 16KB. So this issue should not be a security concern
>
> Fixes: 15fb7de1a7f5 ("KVM: SVM: Add KVM_SEV_RECEIVE_UPDATE_DATA command")
> Fixes: d3d1af85e2c7 ("KVM: SVM: Add KVM_SEND_UPDATE_DATA command")
> Reported-by: Andy Nguyen <[email protected]>
> Suggested-by: Thomas Lendacky <[email protected]>
> Signed-off-by: Peter Gonda <[email protected]>
> Cc: David Rientjes <[email protected]>
> Cc: Paolo Bonzini <[email protected]>
> Cc: Sean Christopherson <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> ---
> arch/x86/kvm/svm/sev.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> index 273cba809328..9451de72f917 100644
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -1294,7 +1294,7 @@ static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
>
> /* Check if we are crossing the page boundary */
> offset = params.guest_uaddr & (PAGE_SIZE - 1);
> - if ((params.guest_len + offset > PAGE_SIZE))
> + if (params.guest_len > PAGE_SIZE || (params.guest_len + offset > PAGE_SIZE))
I see the original if statement had double parentheses, which looks
strange. Should this if (and the one below) be:
if (params.guest_len > PAGE_SIZE || (params.guest_len + offset) > PAGE_SIZE)
Thanks,
Tom
> return -EINVAL;
>
> /* Pin guest memory */
> @@ -1474,7 +1474,7 @@ static int sev_receive_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
>
> /* Check if we are crossing the page boundary */
> offset = params.guest_uaddr & (PAGE_SIZE - 1);
> - if ((params.guest_len + offset > PAGE_SIZE))
> + if (params.guest_len > PAGE_SIZE || (params.guest_len + offset > PAGE_SIZE))
> return -EINVAL;
>
> hdr = psp_copy_user_blob(params.hdr_uaddr, params.hdr_len);
> >
> > diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> > index 273cba809328..9451de72f917 100644
> > --- a/arch/x86/kvm/svm/sev.c
> > +++ b/arch/x86/kvm/svm/sev.c
> > @@ -1294,7 +1294,7 @@ static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
> >
> > /* Check if we are crossing the page boundary */
> > offset = params.guest_uaddr & (PAGE_SIZE - 1);
> > - if ((params.guest_len + offset > PAGE_SIZE))
> > + if (params.guest_len > PAGE_SIZE || (params.guest_len + offset > PAGE_SIZE))
>
> I see the original if statement had double parentheses, which looks
> strange. Should this if (and the one below) be:
>
> if (params.guest_len > PAGE_SIZE || (params.guest_len + offset) > PAGE_SIZE)
Isn't the order of operations here: '+' and then '>'. So is the patch
correct and matches the old conditional? I am fine adding additional
() for clarity though.
On 1/10/23 10:44, Peter Gonda wrote:
>>>
>>> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
>>> index 273cba809328..9451de72f917 100644
>>> --- a/arch/x86/kvm/svm/sev.c
>>> +++ b/arch/x86/kvm/svm/sev.c
>>> @@ -1294,7 +1294,7 @@ static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
>>>
>>> /* Check if we are crossing the page boundary */
>>> offset = params.guest_uaddr & (PAGE_SIZE - 1);
>>> - if ((params.guest_len + offset > PAGE_SIZE))
>>> + if (params.guest_len > PAGE_SIZE || (params.guest_len + offset > PAGE_SIZE))
>>
>> I see the original if statement had double parentheses, which looks
>> strange. Should this if (and the one below) be:
>>
>> if (params.guest_len > PAGE_SIZE || (params.guest_len + offset) > PAGE_SIZE)
>
> Isn't the order of operations here: '+' and then '>'. So is the patch
> correct and matches the old conditional? I am fine adding additional
But what was the purpose of them in the old conditional? They weren't
necessary.
But, yes, that order of operations is correct and those are both before
'||'. So the extra parentheses around the second condition check are still
strange then, right?
Given that, then:
if (params.guest_len > PAGE_SIZE || params.guest_len + offset > PAGE_SIZE)
> () for clarity though.
I do like the look and clarity of the parentheses around the addition.
Thanks,
Tom
On Tue, Jan 10, 2023 at 10:16 AM Tom Lendacky <[email protected]> wrote:
>
> On 1/10/23 10:44, Peter Gonda wrote:
> >>>
> >>> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> >>> index 273cba809328..9451de72f917 100644
> >>> --- a/arch/x86/kvm/svm/sev.c
> >>> +++ b/arch/x86/kvm/svm/sev.c
> >>> @@ -1294,7 +1294,7 @@ static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
> >>>
> >>> /* Check if we are crossing the page boundary */
> >>> offset = params.guest_uaddr & (PAGE_SIZE - 1);
> >>> - if ((params.guest_len + offset > PAGE_SIZE))
> >>> + if (params.guest_len > PAGE_SIZE || (params.guest_len + offset > PAGE_SIZE))
> >>
> >> I see the original if statement had double parentheses, which looks
> >> strange. Should this if (and the one below) be:
> >>
> >> if (params.guest_len > PAGE_SIZE || (params.guest_len + offset) > PAGE_SIZE)
> >
> > Isn't the order of operations here: '+' and then '>'. So is the patch
> > correct and matches the old conditional? I am fine adding additional
>
> But what was the purpose of them in the old conditional? They weren't
> necessary.
>
> But, yes, that order of operations is correct and those are both before
> '||'. So the extra parentheses around the second condition check are still
> strange then, right?
>
> Given that, then:
>
> if (params.guest_len > PAGE_SIZE || params.guest_len + offset > PAGE_SIZE)
>
> > () for clarity though.
>
> I do like the look and clarity of the parentheses around the addition.
Sounds good to me. I'll update the V2 in a couple days to wait for any
other comments.
>
> Thanks,
> Tom