Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp975658iob; Fri, 13 May 2022 18:17:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyAun3WV7/si4uzMp6A/C001vG5a+U9WUCtKjHfELnrC7CwjG3cnAvrLahCGRqw/jZX+NRD X-Received: by 2002:a5d:4dc7:0:b0:20a:ed1a:2c0 with SMTP id f7-20020a5d4dc7000000b0020aed1a02c0mr5818248wru.448.1652491027677; Fri, 13 May 2022 18:17:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652491027; cv=none; d=google.com; s=arc-20160816; b=IFQ6Qdnxx5yvWRSwkvbXkR1ij+4XqC+UzP+7fWaZx0NIiFLjZmnKlN0owN9PN7QIVt I8fe11K/O9/NFfrLSA6+r1Rhb3+f8QqetCWji9u+ryCdZ0HqDXaAqLY0rrwc00NDxnF6 6Veeft2CHg8jdKmtNW/IZ3uf0oWKAULiCEtB3tz1H9cplljGkMTkTXgFGozDBEXFh0Cb drj1KQ5emIGrKyGvCg3LmAyWRu4fxBFLpjKWcIF/ecK9CwmaKXZB1HgsnL4jfFGFlie3 fM30GAATkEA+taEsniSQQwSCh3FbI8bxz3dY2MbvlkgyB++Vb5xSMLXoZZZEI9KPEDPU e/dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=pjCREFqJlKd2e4ScgAkDgjCbWBN7JS6DRPvPR2eYjk4=; b=axwRzXeYTn3GthCHlzr7kgqdoPP8qpIA1H7nfvmxZa4gJyM126Lc50B0RrNeMa/8Pk IH7/EyUbAo5N5PAvtFhLnpayOdMAkF3Tu45dlXvDzr7tiruzHZp2kcl48SjCtlof5xbD 4k2xXxP0MdqgZowE+U4M7ND9uFC1YNd7otTq9PyaH9aIEZ9edwGiaPXOIybr3XvnqAjn TotYmUit1Gk3tOZKqPp28uK+UkfblyNjJ1Yc0Mbbpwe8uK6QulEM2lwp6vmA8ZsfpmvM ou4rrE9ZbDiz5ja9GsJb95MRg/T/usL4bnvgpap3lXc3oklK+zUZSLHrsZT37VOMXvp3 EGmA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=KwRkUDm8; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id j16-20020a5d4530000000b002078a75b50dsi3144792wra.762.2022.05.13.18.17.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 18:17:07 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=KwRkUDm8; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7DC443B440F; Fri, 13 May 2022 16:47:38 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381714AbiEMUJu (ORCPT + 99 others); Fri, 13 May 2022 16:09:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47962 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234777AbiEMUJr (ORCPT ); Fri, 13 May 2022 16:09:47 -0400 Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A96F45A2EC for ; Fri, 13 May 2022 13:09:46 -0700 (PDT) Received: by mail-lj1-x22a.google.com with SMTP id t25so11523964ljd.6 for ; Fri, 13 May 2022 13:09:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pjCREFqJlKd2e4ScgAkDgjCbWBN7JS6DRPvPR2eYjk4=; b=KwRkUDm8dsv90HT32n7Ztq64gzcZF/kbB6tGx1fdQXDKGZjG+GBVpWD5AOzmGAWnd/ rerMc/t+Kt10xdfBUlOCSActjob6KhPB4oKiXD392qk8MZ0VHkJPsrHoE62OIQs8WWPS /woEZdsfOwomyd9Fj4W/PAgH+rT6NJIIckIrUocjf2DpBUF59s+U5V1ibDFxwg2y6ov9 OeGsICg7lU+vGRU1tPMWBOEoNc1ZjfELi8R4AHlvwpLGgFLOkbyeGW1/JLSvi+nNgZEN /8aIvf0iAOF4sFr9xIkbwN/NITqEFAGVxG54VyVFuxs8n57P2CDyO5IBDUhTTRY2P6aB 5vAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pjCREFqJlKd2e4ScgAkDgjCbWBN7JS6DRPvPR2eYjk4=; b=ZxYNkGdXf9V57HTUQUrR0iAhriK4t6EWV9m8Td3rVJ0PdbC5q3mJnegPft8g8zerhN qRyNxqotnW/HVZN9zjeTzixN4oZI3bEiuy7iscJCVFz83P6Ucb7QAGo6F0lw9xCpHVub f3x3k666VYLOrLasv8mVq6IprcKlT1J9QMHoZIkvytaEWl+GRsmZ2RqTsgCPSSlUaLx5 gL9WooF8vtSc2OzXy/D/8drutxmYsYoSf8M/Hc0tcHS2a1lXzKKVflxSYQ7mINm8ViNT 85bS1kAx5CUpRfVfGt+fIOGIT0+gSKKnefi5KFBBBhbybgf8jTaj9n1sJV3oBtnrWyGG RwRQ== X-Gm-Message-State: AOAM531YG+nSvPzcXMRZtthCx9Z9TuoYDgbmxzUQ0GDFZsuL3DC9kHtO 91wvX9euc484Dabq/b0CSRh8Q3PpNCBnpJI+VNQW6g== X-Received: by 2002:a05:651c:1508:b0:250:5b32:55d5 with SMTP id e8-20020a05651c150800b002505b3255d5mr4018224ljf.278.1652472584716; Fri, 13 May 2022 13:09:44 -0700 (PDT) MIME-Version: 1.0 References: <20220512202328.2453895-1-Ashish.Kalra@amd.com> <51219031-935d-8da4-7d8f-80073a79f794@amd.com> In-Reply-To: <51219031-935d-8da4-7d8f-80073a79f794@amd.com> From: Peter Gonda Date: Fri, 13 May 2022 16:09:33 -0400 Message-ID: Subject: Re: [PATCH] KVM: SVM: Use kzalloc for sev ioctl interfaces to prevent kernel memory leak. To: Ashish Kalra Cc: Sean Christopherson , Ashish Kalra , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Joerg Roedel , "Lendacky, Thomas" , Borislav Petkov , "the arch/x86 maintainers" , kvm list , LKML , Andy Nguyen , David Rientjes , John Allen Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 13, 2022 at 2:11 PM Ashish Kalra wrote: > > Hello Sean & Peter, > > On 5/13/22 14:49, Sean Christopherson wrote: > > On Fri, May 13, 2022, Peter Gonda wrote: > >> On Thu, May 12, 2022 at 4:23 PM Ashish Kalra wrote: > >>> From: Ashish Kalra > >>> > >>> For some sev ioctl interfaces, the length parameter that is passed maybe > >>> less than or equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data > >>> that PSP firmware returns. In this case, kmalloc will allocate memory > >>> that is the size of the input rather than the size of the data. > >>> Since PSP firmware doesn't fully overwrite the allocated buffer, these > >>> sev ioctl interface may return uninitialized kernel slab memory. > >>> > >>> Reported-by: Andy Nguyen > >>> Suggested-by: David Rientjes > >>> Suggested-by: Peter Gonda > >>> Cc: kvm@vger.kernel.org > >>> Cc: linux-kernel@vger.kernel.org > >>> Signed-off-by: Ashish Kalra > >>> --- > >>> arch/x86/kvm/svm/sev.c | 6 +++--- > >>> 1 file changed, 3 insertions(+), 3 deletions(-) > >>> > >> Can we just update all the kmalloc()s that buffers get given to the > >> PSP? For instance doesn't sev_send_update_data() have an issue? > >> Reading the PSP spec it seems like a user can call this ioctl with a > >> large hdr_len and the PSP will only fill out what's actually required > >> like in these fixed up cases? This is assuming the PSP is written to > >> spec (and just the current version). I'd rather have all of these > >> instances updated. > > Yes, this function is also vulnerable as it allocates the return buffer > using kmalloc() and copies back to user the buffer sized as per the user > provided length (and not the FW returned length), so it surely needs fixup. > > I will update all these instances to use kzalloc() instead of kmalloc(). Do we need the alloc_page() in __sev_dbg_encrypt_user() to have __GFP_ZERO too? > > > Agreed, the kernel should explicitly initialize any copy_to_user() to source and > > never rely on the PSP to fill the entire blob unless there's an ironclad guarantee > > the entire struct/blob will be written. E.g. it's probably ok to skip zeroing > > "data" in sev_ioctl_do_platform_status(), but even then it might be wortwhile as > > defense-in-depth. > > > > Looking through other copy_to_user() calls: > > > > - "blob" in sev_ioctl_do_pek_csr() > > - "id_blob" in sev_ioctl_do_get_id2() > > - "pdh_blob" and "cert_blob" in sev_ioctl_do_pdh_export() > > These functions are part of the ccp driver and a fix for them has > already been sent upstream to linux-crypto@vger.kernel.org and > linux-kernel@vger.kernel.org: > > [PATCH] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent > kernel memory leak > > Thanks, > > Ashish > > > > > The last one is probably fine since the copy length comes from the PSP, but it's > > not like these ioctls are performance critical... > > > > /* If we query the length, FW responded with expected data. */ > > input.cert_chain_len = data.cert_chain_len; > > input.pdh_cert_len = data.pdh_cert_len;