Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1981507ybt; Thu, 2 Jul 2020 20:10:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyHSIDnCZoFKfAKhh3f/4aOZxhHfBsoT8x4g7EUmr1bPVw+LgQFkrfIxaeY1IZD0W4NinVG X-Received: by 2002:aa7:d7d0:: with SMTP id e16mr38154163eds.10.1593745847292; Thu, 02 Jul 2020 20:10:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593745847; cv=none; d=google.com; s=arc-20160816; b=DxVO3OeKWUu+u2QR43J1NJik41+gIBxwFAnShFOU6s7fqlivffnKuYjTT1lPRiAFTT XteO18poKSrPyKQ8/NcE5XUse7sDjIO/8G21PUyoCtEIKD3kGXzqND9Pg72SfqtyrRwz 0vqwfi7uBL61PZiSPj/2Z57wBvJ7qtR+JLuyLITcCUsg4bvlHbvxgN0ZBjqXq7fNZTyB XeZgVfmLCFomx/e/++XcVgWzNC/neReitNc1WnRoc9PfK6fHJoiW3qH7Bb2MWpqGZvIJ xSVY29njJWgNgWPrlowKA49Ny6pbrytpc+p/eDcHEeUu3h9DtlskifomNjfn9MkFmsQc 3H1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:organization:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:ironport-sdr:ironport-sdr; bh=i5zrQojTQpKOB9bzqZl1rzZLMhj9hhncm2g+dDmbTWw=; b=VkXgk0YYW4HZ0GXnbtOHEPhh7gRiGH6QJuB4cN5nQpb6lsuWEi2Hpec2XIgOjjMo/m DQSe5ZELN6QKihdGt44jKMF1kHPgN4q75AXv0oXayGwn1BI4o6ABKSiCmld06gs4w3RG 9dfOV7F1VKSDZCz86/gIHssNGB0TwbuLqpcYdyT2gAJszFHpQ8ZX/On/jGyanMghyT/h oKFoCPXX7+9rH4o+vC/jbsStu3hX3rVQUzO/Xr/fcbBoEcUYcTQJFnNjRQFzPcgHdYmp kq4GGibUd0ohUpn+2BDTp7wXsmEFKy1oBoWUwosxXlp5OFwe8FhlsqBxn2zo9V6/3qMh LCBQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g8si6918530ejo.221.2020.07.02.20.10.23; Thu, 02 Jul 2020 20:10:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726074AbgGCDJo (ORCPT + 99 others); Thu, 2 Jul 2020 23:09:44 -0400 Received: from mga17.intel.com ([192.55.52.151]:43112 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725915AbgGCDJo (ORCPT ); Thu, 2 Jul 2020 23:09:44 -0400 IronPort-SDR: Oh2U5pS+1iJOcn5ffAEMiQLvZ7/K5CqCouF7fxnmbCMFHzhix/p9hoZ+GMFsfXfiV3ZXGrAtd/ zeKaE8Lt9H0A== X-IronPort-AV: E=McAfee;i="6000,8403,9670"; a="127166618" X-IronPort-AV: E=Sophos;i="5.75,306,1589266800"; d="scan'208";a="127166618" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jul 2020 20:09:43 -0700 IronPort-SDR: aPFCC2Rjr2grbjLW42eLLUBa1wZ2Pj6RM0b2nYbGW7eym/tg1+xXFs6GGgWYXShSYtcTco/gLx R/ivR5oK335g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,306,1589266800"; d="scan'208";a="455744536" Received: from skochetx-mobl1.ger.corp.intel.com (HELO localhost) ([10.252.55.66]) by orsmga005.jf.intel.com with ESMTP; 02 Jul 2020 20:09:29 -0700 Date: Fri, 3 Jul 2020 06:09:28 +0300 From: Jarkko Sakkinen To: Borislav Petkov Cc: x86@kernel.org, linux-sgx@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Jethro Beekman , Haitao Huang , Chunyang Hui , Jordan Hand , Nathaniel McCallum , Seth Moore , Sean Christopherson , Suresh Siddha , akpm@linux-foundation.org, andriy.shevchenko@linux.intel.com, asapek@google.com, cedric.xing@intel.com, chenalexchen@google.com, conradparker@google.com, cyhanish@google.com, dave.hansen@intel.com, haitao.huang@intel.com, josh@joshtriplett.org, kai.huang@intel.com, kai.svahn@intel.com, kmoy@google.com, ludloff@google.com, luto@kernel.org, nhorman@redhat.com, puiterwijk@redhat.com, rientjes@google.com, tglx@linutronix.de, yaozhangx@google.com Subject: Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver Message-ID: <20200703030928.GE306897@linux.intel.com> References: <20200617220844.57423-1-jarkko.sakkinen@linux.intel.com> <20200617220844.57423-12-jarkko.sakkinen@linux.intel.com> <20200626091419.GB27151@zn.tnic> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200626091419.GB27151@zn.tnic> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 26, 2020 at 11:14:19AM +0200, Borislav Petkov wrote: > On Thu, Jun 18, 2020 at 01:08:33AM +0300, Jarkko Sakkinen wrote: > > diff --git a/Documentation/userspace-api/ioctl/ioctl-number.rst b/Documentation/userspace-api/ioctl/ioctl-number.rst > > index 59472cd6a11d..35f713e3a267 100644 > > --- a/Documentation/userspace-api/ioctl/ioctl-number.rst > > +++ b/Documentation/userspace-api/ioctl/ioctl-number.rst > > @@ -323,6 +323,7 @@ Code Seq# Include File Comments > > > > 0xA3 90-9F linux/dtlk.h > > 0xA4 00-1F uapi/linux/tee.h Generic TEE subsystem > > +0xA4 00-1F uapi/asm/sgx.h Intel SGX subsystem (a legit conflict as TEE and SGX do not co-exist) > > Maybe add ? > > > 0xAA 00-3F linux/uapi/linux/userfaultfd.h > > 0xAB 00-1F linux/nbd.h > > 0xAC 00-1F linux/raw.h > > ... > > > +static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) > > +{ > > + unsigned long encl_size = secs->size + PAGE_SIZE; > > Wait, you just copied @secs from user memory in sgx_ioc_enclave_create() > and now use ->size unverified? You're kidding, right? The validation is done in sgx_validate_secs(). > > > + struct sgx_epc_page *secs_epc; > > + unsigned long ssaframesize; > > + struct sgx_pageinfo pginfo; > > + struct sgx_secinfo secinfo; > > + struct file *backing; > > + long ret; > > + > > + if (atomic_read(&encl->flags) & SGX_ENCL_CREATED) > > + return -EINVAL; > > + > > + ssaframesize = sgx_calc_ssaframesize(secs->miscselect, secs->xfrm); > > So this is using more un-validated user input to do further calculations. > What can possibly go wrong? > > I sure hope *I* am wrong and am missing something here. > > If not, please, for the next version, audit all your user input and > validate it before using it. Srsly. It works but is unclean. I'd guess reason for this is just that code has evolved into this state over time. I'd just move the call to sgx_calc_ssaframesize() inside sgx_validate_secs(). /Jarkko